Gogs throws a "Permission denied" error when I delete public key file from client

Question

I just installed Gogs (Go Git Server) on a Raspberry Pi3 using the offical gogs/gogs-rpi docker image, which I run as suggested :

docker run --name=gogs -p 10022:22 -p 10080:3000 -v /var/gogs:/data gogs/gogs-rpi

I used my laptop to register an admin user via the gogs webinterface and added a public key to the account. I can now clone git repositories from the pi to my laptop using this command:

git clone ssh://[email protected]:10022/peter/my_repo.git

I enter the key-phrase and it works just fine.

Now the strange part... When I delete the public key file (id_rsa_gogs.pub) from my laptop and run the above command again I will get an 'access denied' error.

Does anyone know what that could be? I already registered the public key in Gogs. Why do I need to have a version of the public key on the client machine? I never heard of a case in which the public key needs to stay with the client.

Udapte

If I rm the .pub keyfile and run ssh -Tv [email protected] -p 10022 -i /home/peter/.ssh/id_rsa_gogs I get this:

OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /home/peter/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.178.50 [192.168.178.50] port 10022.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/peter/.ssh/id_rsa_gogs type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/peter/.ssh/id_rsa_gogs-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.178.50:10022 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:[REMOVED]
debug1: Host '[192.168.178.50]:10022' is known and matches the ECDSA host key.
debug1: Found key in /home/peter/.ssh/known_hosts:18
debug1: rekey after [REMOVED] blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after [REMOVED] blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/peter/.ssh/id_rsa_gogs
Enter passphrase for key '/home/peter/.ssh/id_rsa_gogs': 
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.178.50 ([192.168.178.50]:10022).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Remote: Forced command.
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: PTY allocation disabled.
debug1: Sending environment.
debug1: Sending env LC_TELEPHONE = de_DE.UTF-8
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending env LC_NAME = de_DE.UTF-8
debug1: Sending env LC_MEASUREMENT = de_DE.UTF-8
debug1: Sending env LC_IDENTIFICATION = de_DE.UTF-8
debug1: Sending env LC_MONETARY = de_DE.UTF-8
debug1: Sending env LC_PAPER = de_DE.UTF-8
debug1: Sending env LC_ADDRESS = de_DE.UTF-8
debug1: Sending env LC_NUMERIC = de_DE.UTF-8
Hi there, You've successfully authenticated, but Gogs does not provide shell access.
If this is unexpected, please log in with password and setup Gogs under another user.
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3268, received 3096 bytes, in 0.2 seconds
Bytes per second: sent 15416.0, received 14604.6
debug1: Exit status 0

It seems to fail if I run ssh -Tv [email protected] -p 10022 (No specifying the keyfile directly):

OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /home/peter/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.178.50 [192.168.178.50] port 10022.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/peter/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/peter/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/peter/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/peter/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/peter/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/peter/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/peter/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/peter/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat [REMOVED]
debug1: Authenticating to 192.168.178.50:10022 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:[REMOVED]
debug1: Host '[192.168.178.50]:10022' is known and matches the ECDSA host key.
debug1: Found key in /home/peter/.ssh/known_hosts:[REMOVED]
debug1: rekey after [REMOVED] blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after [REMOVED] blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/peter/.ssh/id_rsa
debug1: Trying private key: /home/peter/.ssh/id_dsa
debug1: Trying private key: /home/peter/.ssh/id_ecdsa
debug1: Trying private key: /home/peter/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,keyboard-interactive).

Check also if the same issue is seen when registering and using an ssh key without any passphrase.

The outcome is the same without passphrase.

I don't know if it matters but I have this inside ~/.ssh/config for Gogs

Host 192.168.178.50:10022
    HostName 192.168.178.50:10022
    IdentityFile ~/.ssh/id_rsa_gogs
    User Peter

Answer 1

Host 192.168.178.50:10022
    HostName 192.168.178.50:10022
    IdentityFile ~/.ssh/id_rsa_gogs
    User Peter

ssh doesn't accept a port number as part of either the Host or Hostname options here. As a result, it's not recognizing that this entry should apply to your connection attempts, and it's not applying the identity file or user.

If you just need to match the IP address, this should work:

Host 192.168.178.50
    Port 10022
    IdentityFile ~/.ssh/id_rsa_gogs
    User Peter

If you really need to match on the port, this should work:

Match host 192.168.178.50 exec "test %p = 10022"
    IdentityFile ~/.ssh/id_rsa_gogs
    User Peter

This runs the test command to test the port value. "%p" will be replaced by the port value that ssh would use up to that point (either the default of 22 or the value from the command line). test is also known as [; it's a command-line utility mostly used in shell scripts as part of an if statement.

Answer 2

Try an ssh -Tv [email protected] -p 10022 -i /home/peter/.ssh/id_rsa_gogs in order to understand what is actually causing the error.

Check also if the same issue is seen when registering and using an ssh key without any passphrase. (even though public keys don't have the passphrase)