Hey all!

I posted this to /c/tailscale yesterday and I figured I’d post it here to get some more visibility.

I’m trying to ssh into my tailnet-hosted (through tailscale serve) gogs instance and I can’t seem to figure out how. Has anyone tried doing this? Will I need to add a user to the sidecar container and add a shim like they do in the regular gogs setup? I appreciate any insight.

Edit: Added tag and modified title for clarity.

  • @[email protected]OP
    link
    fedilink
    English
    24 months ago

    Ope sorry, right now I just have the serve config doing a redirect of port 22, however when I try to SSH in I get rejected by tailscale ACL. Says there’s no user named git.

    If I followed the steps for the vanilla docker setup I’d add a git user to the host and softlink the host authorized_keys file to the gogs container’s version, as well as add a shim script to forward the command into the container using the docker exec command, but I’d rather not do that by mucking about in the sidecar if there’s a better way. The tailscale universal docker mod for linuxserver.io says they have ssh access for their containers but as far as I can tell it just pops in the --ssh flag in tailscale up.

    • @just_another_person
      link
      English
      24 months ago

      If it’s reaponding about the git user, then it’s an auth failure. That’s about all I could tell you without some logs.

      • @[email protected]OP
        link
        fedilink
        English
        14 months ago

        Yeah and I figured that was the case. I’m just trying to figure out the best practice for my use case would be as I’d rather not have to build a new container. Also I’ve included the vvverbose output of the SSH attempt below.

        ❯ ssh -vvvT [email protected] OpenSSH_9.8p1, OpenSSL 3.2.1 30 Jan 2024 debug1: Reading configuration data /data/data/com.termux/files/usr/etc/ssh/ssh_config debug3: expanded UserKnownHostsFile ‘~/.ssh/known_hosts’ -> ‘/data/data/com.termux/files/home/.ssh/known_hosts’ debug3: expanded UserKnownHostsFile ‘~/.ssh/known_hosts2’ -> ‘/data/data/com.termux/files/home/.ssh/known_hosts2’ debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling debug2: resolving “gogs.tailacbd65.ts.net” port 22 debug3: resolve_host: lookup gogs.tailacbd65.ts.net:22 debug3: channel_clear_timeouts: clearing debug3: ssh_connect_direct: entering debug1: Connecting to gogs.tailacbd65.ts.net [100.126.96.115] port 22. debug3: set_sock_tos: set socket 3 IP_TOS 0x48 debug1: Connection established. debug1: identity file /data/data/com.termux/files/home/.ssh/id_rsa type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_rsa-cert type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_ecdsa type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_ecdsa-cert type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_ecdsa_sk type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_ed25519 type 3 debug1: identity file /data/data/com.termux/files/home/.ssh/id_ed25519-cert type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_ed25519_sk type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_xmss type -1 debug1: identity file /data/data/com.termux/files/home/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.8 debug1: Remote protocol version 2.0, remote software version Tailscale debug1: compat_banner: no match: Tailscale debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to gogs.tailacbd65.ts.net:22 as ‘git’ debug1: load_hostkeys: fopen /data/data/com.termux/files/home/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /data/data/com.termux/files/usr/etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /data/data/com.termux/files/usr/etc/ssh/ssh_known_hosts2: No such file or directory debug3: order_hostkeyalgs: no algorithms matched; accept original debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: [email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,[email protected] debug2: host key algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256 debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] lman-group14-sha1,[email protected] debug2: host key algorithms: rsa-sha2-256,rsa-sha2-512,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: [email protected],[email protected],[email protected],aes128-ctr,aes192-ctr,aes256-ctr debug2: ciphers stoc: [email protected],[email protected],[email protected],aes128-ctr,aes192-ctr,aes256-ctr debug2: MACs ctos: [email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96 debug2: MACs stoc: [email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96 debug2: compression ctos: none debug2: compression stoc: none debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug3: kex_choose_conf: will use strict KEX ordering debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ssh-ed25519 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: SSH2_MSG_KEX_ECDH_REPLY received debug1: Server host key: ssh-ed25519 SHA256:obfuscation! debug1: load_hostkeys: fopen /data/data/com.termux/files/home/.ssh/known_hosts2: No such file or directory debug1: load_hostkeys: fopen /data/data/com.termux/files/usr/etc/ssh/ssh_known_hosts: No such file or directory debug1: load_hostkeys: fopen /data/data/com.termux/files/usr/etc/ssh/ssh_known_hosts2: No such file or directory debug3: hostkeys_find_by_key_hostfile: trying user hostfile “/data/data/com.termux/files/home/.ssh/known_hosts” debug3: hostkeys_foreach: reading file “/data/data/com.termux/files/home/.ssh/known_hosts” debug3: hostkeys_find_by_key_hostfile: trying user hostfile “/data/data/com.termux/files/home/.ssh/known_hosts2” debug1: hostkeys_find_by_key_hostfile: hostkeys file /data/data/com.termux/files/home/.ssh/known_hosts2 does not exist debug3: hostkeys_find_by_key_hostfile: trying system hostfile “/data/data/com.termux/files/usr/etc/ssh/ssh_known_hosts” debug1: hostkeys_find_by_key_hostfile: hostkeys file /data/data/com.termux/files/usr/etc/ssh/ssh_known_hosts does not exist debug3: hostkeys_find_by_key_hostfile: trying system hostfile “/data/data/com.termux/files/usr/etc/ssh/ssh_known_hosts2” debug1: hostkeys_find_by_key_hostfile: hostkeys file /data/data/com.termux/files/usr/etc/ssh/ssh_known_hosts2 does not exist The authenticity of host ‘gogs.tailacbd65.ts.net (100.126.96.115)’ can’t be established. ED25519 key fingerprint is SHA256:obfuscation!. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added ‘gogs.tailacbd65.ts.net’ (ED25519) to the list of known hosts. ha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256 debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,[email protected],zlib debug2: compression stoc: none,[email protected],zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug3: kex_input_ext_info: extension server-sig-algs debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss> debug3: kex_input_ext_info: extension [email protected] debug1: kex_ext_info_check_ver: [email protected]=<0> debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: tailscale debug3: start over, passed a different list tailscale debug3: preferred publickey,keyboard-interactive,password debug1: No more authentication methods to try. [email protected]: Permission denied (tailscale).

        • @just_another_person
          link
          English
          14 months ago

          You’ve got a lot of errors in there, and it’s hard to tell which may be the culprit. I’m going to guess your keys can’t be read. I’d go back through the setup steps and make sure your PUBLIC key is setup properly for the git user.

          • @[email protected]OP
            link
            fedilink
            English
            14 months ago

            Well that’s the thing, there’s no git user. I’m trying to directly ssh into the gogs container through the tailscale sidecar container via the tailnet, so I’m not going through the host machine. I’m just trying to see if there’s a way I can do it that’s a bit less fiddly than having to rebuild the container with the right user and whatnot.