Illya Moskvin

Fixing SSH in Gitea on Synology

A while ago, I installed Gitea on my Synology DS920+ to mirror repositories which I thought had a decent chance of being taken down. This weekend, I tried pushing my own code to it, and I discovered that the SSH configuration it came with did not work out-of-the-box. I hope this post saves someone some time.

I installed Gitea using the Gitea package from SynoCommunity. You can install it via Synology’s built-in Package Center. Get the web interface working, generate your keys, and add them via the user settings. Standard stuff.

Now the problem. Here’s what happens when you test that SSH connection:

$ ssh -Tv sc-gitea@nas

debug1: Connecting to nas [<snip>] port 22.
debug1: Connection established.

<snip>

debug1: Offering public key: <snip>/.ssh/id_ed25519 ED25519 SHA256:<snip> explicit
debug1: Server accepts key: <snip>/.ssh/id_ed25519 ED25519 SHA256:<snip> explicit
Authenticated to nas ([<snip>]:22) using "publickey".
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /var/packages/gitea/home/.ssh/authorized_keys:2: key options: command
debug1: Remote: /var/packages/gitea/home/.ssh/authorized_keys:2: key options: command

Permission denied, please try again.

So we are connecting to the right host, and the server accepts our key, yet we can’t establish an interactive session. What gives?

One way to fix this is to give the sc-gitea user a login shell. We can do this by editing /etc/passwd and changing /sbin/nologin to /bin/sh. However, Synology resets this for all non-admin users on restart, so you’d have to write a script to fix it after each restart, or add sc-gitea to administrators in /etc/group.1 That feels fragile and insecure.

Instead, let’s enable Gitea’s built-in SSH server:2

sudo nano /var/packages/gitea/var/conf.ini

Change the following settings:

# Before:
SSH_PORT = 22

# After:
START_SSH_SERVER = true
SSH_PORT = 2222

Then, run the following command:

sudo synopkg restart gitea

Admin Settings > Configuration > Summary > Use Built-In Server is now enabled:

Screenshot of the web interface

Test new connection, using port 2222:

ssh -T sc-gitea@nas -p 2222

If all is well, you will see the following message:

Hi there, <snip>! You've successfully authenticated with the key named <snip>, but Gitea does not provide shell access.
If this is unexpected, please log in with password and setup Gitea under another user.

Gitea will include the new port in the SSH URIs it suggests:

ssh://sc-gitea@nas:2222/user/repo.git

You can now use git commands with SSH:

git clone ssh://sc-gitea@nas:2222/user/repo.git

If that doesn’t work, double-check that whatever git client you are using has access to the same keys as your SSH client. Hope this helps someone get unstuck!

  1. Synology.com – SSH: non-administrator users can’t use SSH anymore after update ↩︎

  2. Gitea Documentation – FAQ – SSHD vs built-in SSH ↩︎