gitforge/modules
mfenniak 99dd35d3e4 feat: ensure only expected ssh public keys are in authorized_keys file (#10010)
A security vulnerability that was fixed in #9840 had the potential to corrupt the `authorized_keys` file that Forgejo is managing to allow ssh access.  In the event that it was corrupted, the existing behaviour of Forgejo is to maintain the contents that it finds in the `authorized_keys` file, potentially making an exploit of a Forgejo server persistent despite attempts to rewrite the key file.

This feature adds a new layer of security resiliency in order to prevent persistent ssh key corruption.  When Forgejo starts up, if relevant, Forgejo will read the `authorized_keys` file and validate the file's contents.  If any keys are found in the file that are not expected, then Forgejo will terminate its startup in order to signal to the server administrator that a critical security risk is present that must be addressed:

```
2025/11/07 10:13:50 modules/ssh/init.go:86:Init() [F] An unexpected ssh public key was discovered. Forgejo will shutdown to require this to be fixed. Fix by either:
Option 1: Delete the file /home/forgejo/.ssh/authorized_keys, and Forgejo will recreate it with only expected ssh public keys.
Option 2: Permit unexpected keys by setting [server].SSH_ALLOW_UNEXPECTED_AUTHORIZED_KEYS=true in Forgejo's config file.
        Unexpected key on line 1 of /home/forgejo/.ssh/authorized_keys
        Unexpected key on line 2 of /home/forgejo/.ssh/authorized_keys
        Unexpected key on line 3 of /home/forgejo/.ssh/authorized_keys
        Unexpected key on line 4 of /home/forgejo/.ssh/authorized_keys
        Unexpected key on line 5 of /home/forgejo/.ssh/authorized_keys
```

As noted in the log message, the server administrator can address this problem in one of two ways:
- If they delete the file that contains the unexpected keys, Forgejo will regenerate it containing only the expected keys from the Forgejo database.
- If they would like to run their server with ssh keys that are not managed by Forgejo (for example, if they're reusing a `git` ssh user that is accessed through `git@server` and does not invoke Forgejo's ssh handlers), then they can disable the new security check by setting `[server].SSH_ALLOW_UNEXPECTED_AUTHORIZED_KEYS = true` in their `app.ini`.

**This is a breaking change**: the default behaviour is to be restrictive in the contents of `authorized_keys` in order to ensure that server administrators with unexpected keys in `authorized_keys` are aware of those keys.

If `SSH_ALLOW_UNEXPECTED_AUTHORIZED_KEYS=false`, then the behaviour when Forgejo rewrites the `authorized_keys` file is changed to not maintain any unexpected keys in the file.  If the value is `true`, then the old behaviour is retained.

The `doctor check` subcommand is updated to use the new validity routines:
```
[4] Check if OpenSSH authorized_keys file is up-to-date
 - [E] Unexpected key on line 1 of /home/forgejo/.ssh/authorized_keys
 - [E] Key in database is not present in /home/forgejo/.ssh/authorized_keys: ...
 - [E] authorized_keys file "/home/forgejo/.ssh/authorized_keys" contains validity errors.
Regenerate it with:
        "forgejo admin regenerate keys"
or
        "forgejo doctor check --run authorized-keys --fix"
ERROR
```

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [x] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
    - **Documentation updates required**; pending initial reviews of this change.
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [x] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10010
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: mfenniak <mfenniak@noreply.codeberg.org>
Co-committed-by: mfenniak <mfenniak@noreply.codeberg.org>
2025-11-09 01:06:04 +01:00
..
actions chore: use code.forgejo.org/forgejo/actions-proto (#9981) 2025-11-05 16:10:52 +01:00
activitypub fix: assorted ActivityPub code only refactors (#8708) 2025-07-28 15:17:29 +02:00
analyze
assetfs fix: follow symlinks for local assets (#8596) 2025-07-22 15:02:47 +02:00
auth chore(cleanup): replaces unnecessary calls to formatting functions by non-formatting equivalents (#7994) 2025-05-29 17:34:29 +02:00
avatar feat: strip EXIF information from uploaded avatars (#9638) 2025-10-13 23:16:17 +02:00
base git/commit: re-implement submodules file reader (#8438) 2025-07-15 00:20:00 +02:00
cache fix: reduce deadlocks merging PRs by using caching for repo issue count stats (#9922) 2025-10-31 23:50:05 +01:00
card
charset feat: update ambigious characters (#7988) 2025-05-29 10:00:12 +02:00
container chore: add new functions to container.Set 2025-10-14 14:40:49 -06:00
csv
emoji chore(cleanup): replaces unnecessary calls to formatting functions by non-formatting equivalents (#7994) 2025-05-29 17:34:29 +02:00
eventsource
forgefed Sent user activities to distant federated server (#8792) 2025-08-06 16:16:13 +02:00
generate
git chore: simplify GetNote (#9985) 2025-11-06 13:23:35 +01:00
gitrepo
graceful feat: enable H2C for the HTTP server (#8861) 2025-08-16 21:00:20 +02:00
hcaptcha
highlight
hostmatcher
html
httpcache
httplib feat: detect Interlisp sources as text (#8377) 2025-07-02 07:38:46 +02:00
indexer Update module github.com/meilisearch/meilisearch-go to v0.34.0 (forgejo) (#9275) 2025-09-14 13:22:15 +02:00
issue/template chore: replace gopkg.in/yaml.v3 with go.yaml.in/yaml/v3 (#8956) 2025-08-20 15:31:12 +02:00
json
keying feat: use keying for task secrets (#9923) 2025-11-03 13:42:32 +01:00
label chore: replace gopkg.in/yaml.v3 with go.yaml.in/yaml/v3 (#8956) 2025-08-20 15:31:12 +02:00
lfs chore: add unit test for SearchPointerBlobs 2025-10-03 14:37:24 +02:00
log feat(log): better parseable and configurable ssh-logs (#9056) 2025-09-11 18:59:24 +02:00
markup fix: use scrollHeight for rendered iframe if offsetHeight is unavailable (#9508) 2025-10-16 15:51:57 +02:00
mcaptcha
metrics
migration chore: replace gopkg.in/yaml.v3 with go.yaml.in/yaml/v3 (#8956) 2025-08-20 15:31:12 +02:00
nosql
optional chore: replace gopkg.in/yaml.v3 with go.yaml.in/yaml/v3 (#8956) 2025-08-20 15:31:12 +02:00
options
packages chore: replace gopkg.in/yaml.v3 with go.yaml.in/yaml/v3 (#8956) 2025-08-20 15:31:12 +02:00
paginator
pprof
private feat(log): better parseable and configurable ssh-logs (#9056) 2025-09-11 18:59:24 +02:00
process
proxy
proxyprotocol
public add model viewer for .glb (GLTF) model in file view (#8111) 2025-06-21 14:42:35 +02:00
queue fix: reduce deadlocks merging PRs w/ async label stat recalcs (#9868) 2025-10-31 02:12:36 +01:00
recaptcha
references fix: pull request cross references (#7979) 2025-05-28 14:50:05 +02:00
regexplru
repository fix: set tag message on tag addition (#9913) 2025-10-31 07:04:28 +01:00
secret
session
setting feat: ensure only expected ssh public keys are in authorized_keys file (#10010) 2025-11-09 01:06:04 +01:00
sitemap
ssh feat: ensure only expected ssh public keys are in authorized_keys file (#10010) 2025-11-09 01:06:04 +01:00
storage fix: minio initialization can freeze indefinitely if misconfigured (#8897) 2025-08-15 21:03:51 +02:00
structs feat: Add support for administrators to set email visibility on user accounts (#9668) 2025-10-15 03:21:15 +02:00
svg
sync
system
templates chore: remove not working PREFERRED_TIMESTAMP_TENSE setting (#9490) 2025-10-01 15:16:01 +02:00
test Improved signature handling & instance actor (#8275) 2025-07-01 19:49:00 +02:00
testlogger
timeutil
translation frontend: generic lazy loader for webcomponents (#8510) 2025-07-23 04:10:50 +02:00
turnstile
typesniffer feat: detect Interlisp sources as text (#8377) 2025-07-02 07:38:46 +02:00
updatechecker
uri
user
util feat: replace cross origin protection (#9830) 2025-10-29 22:43:22 +01:00
validation chore: add email blocklist unit test 2025-08-30 09:45:19 +02:00
web feat: make Forgejo Actions server logs less noisy (#7986) 2025-05-29 10:06:30 +02:00
webhook Actions Failure, Succes, Recover Webhooks (#7508) 2025-06-03 14:29:19 +02:00
zstd