robojerk/forgejo-ssh-script
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial commit

Browse source
This commit is contained in:
robojerk 2025-06-03 12:07:38 -07:00
commit 96a5720497
3 changed files with 546 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

158
ideas_on_why_fail.md Normal file
View file

@ -0,0 +1,158 @@
# Analysis of SSH Key Verification Failure
## Observations from the Output
1. **Key Generation**
- Successfully generated ED25519 key
- Key fingerprint: SHA256:k4SR6Pnp3se+9CzgZjnHYS+FAP/gyNHnbRB8s/Z1KC8
- Public key was generated and displayed correctly
2. **Verification Attempts**
- Three attempts were made with different tokens
- Each attempt followed the same process
- All attempts failed with the same error
- The signature format appears correct (has BEGIN/END markers)
3. **Token Handling**
- Tokens were 64-character hex strings
- Each attempt used a fresh token
- Token format validation passed
4. **Error Message Analysis**
- Forgejo reports: "The provided SSH key, signature or token do not match or token is out-of-date"
- This suggests either:
* The signature format is incorrect
* The token has expired
* There's a mismatch between the key and signature
* The signature includes extra data
## Potential Issues
1. **Signature Generation**
- The `echo -n` command might not be working as expected in PowerShell
- PowerShell's echo might be adding extra characters or line endings
- The signature might include the "Signing data on standard input" line
- The signature output might include debug/informational messages that should be filtered
2. **Token Processing**
- The token might need to be processed differently (e.g., remove any whitespace)
- The token might need to be in a specific format (uppercase/lowercase)
- The token might need to be handled as raw bytes
3. **SSH Key Format**
- The key might need to be in a specific format for Forgejo
- The key comment might be affecting the verification
- The key permissions might need to be set correctly
4. **Forgejo Requirements**
- Forgejo might expect a specific signature format
- The namespace (-n forgejo_token) might need to be different
- The verification process might have changed in recent Forgejo versions
## Prioritized Action Plan
### 1. Verify echo -n Behavior (HIGHEST PRIORITY)
```powershell
# Test echo -n behavior in isolation
echo -n "test" | Format-Hex # Check for any trailing newlines (0A)
# Expected output should show only the hex for "test" without 0A at the end
```
### 2. Refine Signature Output Filtering (HIGHEST PRIORITY)
```powershell
# Test current output
$testToken = "a" * 64 # Create a dummy 64-char hex string
$testSignature = echo -n $testToken | ssh-keygen -Y sign -n forgejo_token -f "$privateKeyPath" 2>&1
$testSignature | Measure-Object -Character -Line # Check character/line counts
$testSignature -match "Signing data on standard input" # See if the phrase is there
# Implement filtering
$rawSignatureOutput = echo -n $Token | ssh-keygen -Y sign -n forgejo_token -f $privateKeyPath 2>&1
$verificationOutput = ($rawSignatureOutput | Where-Object {
$_ -match '^(-----BEGIN SSH SIGNATURE-----|-----END SSH SIGNATURE-----|[A-Za-z0-9+/=]+)$'
} -join "`n").Trim()
# Verify filtered output
$verificationOutput | Format-Hex # Check for any hidden characters
```
### 3. Manual Test Process (HIGH PRIORITY)
1. Get a fresh token from Forgejo
2. In a regular PowerShell window, run:
```powershell
echo -n <token> | ssh-keygen -Y sign -n forgejo_token -f ~/.ssh/id_ed25519
```
3. Copy the output manually and paste into Forgejo
4. If this works, the issue is in the script's output handling
5. Compare the manual signature with the script-generated one
### 4. Token Normalization (MEDIUM PRIORITY)
```powershell
# Add to token processing
$token = $token.Trim().ToLower() # Normalize token format
# Verify token format
$token | Format-Hex # Check for any hidden characters
```
### 5. Key Comment Test (MEDIUM PRIORITY)
1. Generate a new key without the comment:
```powershell
ssh-keygen -t ed25519 -f $privateKeyPath # Remove -C $email
```
2. Try the verification process with the new key
### 6. Alternative Token Passing Methods (LOW PRIORITY)
```powershell
# Option 1: Using temporary file
"$Token" | Out-File -FilePath temp_token.txt -Encoding ascii -NoNewline
$signature = ssh-keygen -Y sign -n forgejo_token -f $privateKeyPath < temp_token.txt 2>&1
Remove-Item temp_token.txt
# Option 2: Using stdin stream
$stdin = New-Object System.IO.StringReader($Token)
$signature = ssh-keygen -Y sign -n forgejo_token -f $privateKeyPath -InputObject $stdin 2>&1
```
## Questions to Consider
1. Does Forgejo provide any specific requirements for the signature format?
2. Are there any known issues with PowerShell's handling of binary data?
3. Should we try a different approach to passing the token to ssh-keygen?
4. Is there a way to verify the signature format before submitting it?
5. Could the key comment be causing issues with the verification?
## Next Steps
1. Verify `echo -n` behavior in isolation
2. Implement the signature output filtering
3. Perform the manual test to verify the basic process
4. Add token normalization
5. Test without key comment
6. If needed, try alternative token passing methods
## Debugging Tips
1. Use `Measure-Object` to check output lengths and line counts
2. Use `Format-Hex` to inspect for hidden characters
3. Compare manual vs. script-generated signatures
4. Check for any hidden characters in the output
5. Verify the exact format of the signature block
6. Monitor the token format throughout the process
7. Document the exact error message from Forgejo
## Implementation Notes
1. **Function Parameter Verification**
- Ensure `Get-SshSignature` receives correct `$privateKeyPath`
- Add parameter validation in the function
- Log the actual path being used
2. **Output Inspection**
- Add debug logging for raw and filtered output
- Compare lengths and formats at each step
- Document any differences between manual and script output
3. **Error Handling**
- Add specific error messages for each failure case
- Log the exact format of the signature being sent
- Document any differences from expected format

44
readme.md Normal file
View file

@ -0,0 +1,44 @@
This is a powershell script that will create a a ssh key
assume forgejo is installed (via docker)
ask for email address
run
```powershell
echo "Please remember your passphrase. Write it down. Keep it safe"
ssh-keygen -t ed25519 -C "rraines@gmail.com"
```
These file are create
C:\Users\{user}\.ssh\id_ed25519
C:\Users\{user}\.ssh\id_ed25519.pub
Use cat ( or cat equivalent on powershell) to view "C:\Users\{user}\.ssh\id_ed25519.pub"
```powershell
cls
# Copy the contents below
cat "C:\Users\{user}\.ssh\id_ed25519.pub"
```
Login to your forgejo web server
Click on your **profile avatar** (top right corner)
Select **"Settings"**.
In the left sidebar, click on **"SSH / GPG Keys"**.
Click the **"Add Key"** button.
Give your key a descriptive **"Title"** (e.g., "Rob's Laptop Key").
Paste the entire public key into the "Content" text area.
After adding, you'll see your key listed. Click the **"Verify"** button next to it.
* Forgejo will provide a unique **challenge token** and three different commands. You need to run one of these commands in your local terminal.
```powershell
echo "Please copy the token on the web page"
echo "for example c9fb7f60219b73d1819d9fe548a43e3a041484f8d7466dd212b4e8cde9e0e3d8"
```
set $TOKEN to what the user inputs
Verify that the inputted token matches the required parameters. i.e. length, no spaces etc
run "cmd /c "<NUL set /p=`"$TOKEN`"| ssh-keygen"
```powershell
Paste the contents into the window and ***verify***

344
ssh-script.ps1 Normal file
View file

@ -0,0 +1,344 @@
# Function to validate email format
function Test-EmailFormat {
param([string]$Email)
$emailRegex = '^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
return $Email -match $emailRegex
}
# Function to validate token format
function Test-TokenFormat {
param([string]$Token)
# Token should be 64 characters long and contain only hexadecimal characters
return $Token -match '^[a-fA-F0-9]{64}$'
}
# Function to generate signature
function Get-SshSignature {
param(
[string]$Token,
[string]$PrivateKeyPath
)
# Validate parameters
if (-not (Test-Path $PrivateKeyPath)) {
throw "Private key not found at path: $PrivateKeyPath"
}
# Normalize token format
$Token = $Token.Trim().ToLower()
# Debug: Check token format
Write-Host "`nDebug: Token format check:" -ForegroundColor Gray
Write-Host "Length: $($Token.Length)" -ForegroundColor Gray
Write-Host "Format: $($Token -match '^[a-f0-9]{64}$')" -ForegroundColor Gray
# Try Git Bash first if available
$gitBashPath = "C:\Program Files\Git\bin\bash.exe"
if (Test-Path $gitBashPath) {
Write-Host "`nUsing Git Bash for signature generation..." -ForegroundColor Gray
# Convert Windows path to Unix-style for Git Bash
$unixKeyPath = $PrivateKeyPath.Replace('\', '/')
# Use the exact command format from Forgejo, but with forgejo_token namespace
$bashCmd = "echo -n '$Token' | ssh-keygen -Y sign -n gitea -f '$unixKeyPath'"
Write-Host "Debug: Running Git Bash command:" -ForegroundColor Gray
Write-Host $bashCmd -ForegroundColor Gray
$rawSignatureOutput = & $gitBashPath -c $bashCmd 2>&1
} else {
Write-Host "`nGit Bash not found, using PowerShell..." -ForegroundColor Gray
# Use the exact PowerShell command format from Forgejo
$cmd = "cmd /c `<NUL set /p=`"$Token`"| ssh-keygen -Y sign -n gitea -f `"$PrivateKeyPath`""
Write-Host "Debug: Running PowerShell command:" -ForegroundColor Gray
Write-Host $cmd -ForegroundColor Gray
$rawSignatureOutput = Invoke-Expression $cmd 2>&1
}
# Debug: Check raw output
Write-Host "`nDebug: Raw signature output:" -ForegroundColor Gray
$rawSignatureOutput | ForEach-Object { Write-Host " $_" -ForegroundColor Gray }
# Filter the output to get only the signature block
$signatureLines = $rawSignatureOutput | Where-Object {
$_ -match '^(-----BEGIN SSH SIGNATURE-----|-----END SSH SIGNATURE-----|[A-Za-z0-9+/=]+)$'
}
# Join the lines with newlines
$signature = [string]::Join("`n", $signatureLines).Trim()
# Debug: Check filtered signature
Write-Host "`nDebug: Filtered signature:" -ForegroundColor Gray
$signature | ForEach-Object { Write-Host " $_" -ForegroundColor Gray }
# Verify signature format
if (-not ($signature -match '^-----BEGIN SSH SIGNATURE-----\r?\n[A-Za-z0-9+/=]+\r?\n-----END SSH SIGNATURE-----\r?$')) {
Write-Host "Warning: Signature format may be incorrect" -ForegroundColor Yellow
}
return $signature
}
# --- SSH Key Generation ---
# Get user's email for key comment
$email = ""
while (-not (Test-EmailFormat -Email $email)) {
$email = Read-Host "Please enter your email address for your SSH key comment"
if (-not (Test-EmailFormat -Email $email)) {
Write-Host "Invalid email format. Please try again." -ForegroundColor Red
}
}
# Generate SSH key
Write-Host "`n--- Generating SSH Key ---" -ForegroundColor Cyan
Write-Host "You'll be prompted for a passphrase. Please remember it and keep it safe!" -ForegroundColor Yellow
$privateKeyPath = "$env:USERPROFILE\.ssh\id_ed25519" # Define private key path
$publicKeyPath = "$env:USERPROFILE\.ssh\id_ed25519.pub" # Define public key path
# Check if key already exists to prevent accidental overwrite without warning
if (Test-Path $privateKeyPath) {
Write-Host "`nWarning: An SSH key already exists at '$privateKeyPath'." -ForegroundColor Yellow
$overwrite = Read-Host "Do you want to overwrite it? (Y/N)"
if ($overwrite -ne 'Y') {
Write-Host "Key generation cancelled. Exiting." -ForegroundColor Red
exit
}
}
# Execute ssh-keygen
ssh-keygen -t ed25519 -C $email -f $privateKeyPath # Explicitly define path
if ($LASTEXITCODE -ne 0) {
Write-Host "Error generating SSH key. Please check your SSH installation." -ForegroundColor Red
exit
}
# Add key to SSH agent (optional)
Write-Host "`n--- Adding Key to SSH Agent (Optional) ---" -ForegroundColor Yellow
Write-Host "This avoids re-entering your passphrase. You might be prompted for your passphrase now." -ForegroundColor Yellow
ssh-add $privateKeyPath
if ($LASTEXITCODE -ne 0) {
Write-Host "Failed to add key to SSH agent. You may need to start the 'OpenSSH Authentication Agent' service manually." -ForegroundColor Red
Write-Host "To start the service manually, run: Start-Service ssh-agent" -ForegroundColor Yellow
}
# Display the public key
Write-Host "`n--- Your Public Key ---" -ForegroundColor Green
Write-Host "Please copy the FOLLOWING ENTIRE KEY and paste it into Forgejo:" -ForegroundColor Green
Get-Content $publicKeyPath
Write-Host "---------------------------" -ForegroundColor Green
# Show key fingerprint for verification
$keyFingerprint = (ssh-keygen -lf $publicKeyPath).Split(' ')[1]
Write-Host "`nKey Fingerprint (verify this matches in Forgejo):" -ForegroundColor Yellow
Write-Host $keyFingerprint -ForegroundColor Cyan
Write-Host "`nIMPORTANT: Make sure this fingerprint matches exactly in Forgejo!" -ForegroundColor Yellow
Write-Host "If it doesn't match, the key verification will fail." -ForegroundColor Yellow
# --- Forgejo Web Server Instructions ---
Write-Host "`n--- Next Steps (Manual on Forgejo Web Server) ---" -ForegroundColor Cyan
Write-Host "1. Login to your Forgejo web server (e.g., https://git.raines.xyz)"
Write-Host "2. Click on your profile avatar (top right corner)"
Write-Host "3. Select 'Settings'"
Write-Host "4. In the left sidebar, click on 'SSH / GPG Keys'"
Write-Host "5. Click the 'Add Key' button"
Write-Host "6. Give your key a descriptive 'Title' (e.g., 'My Laptop Key')"
Write-Host "7. PASTE the public key shown ABOVE into the 'Content' text area"
Write-Host "8. Click 'Add Key'."
Write-Host "9. After adding, verify that the fingerprint matches: $keyFingerprint" -ForegroundColor Yellow
Write-Host "10. Click the 'Verify' button next to your new key."
Write-Host "11. Copy the challenge token (the long hexadecimal string) provided by Forgejo."
# --- Key Verification ---
$verificationPassed = $false
$maxAttempts = 3
$attempts = 0
while (-not $verificationPassed -and $attempts -lt $maxAttempts) {
$attempts++
# Get and validate the token
$token = ""
while (-not (Test-TokenFormat -Token $token)) {
Write-Host "`n--- Key Verification (Attempt $attempts of $maxAttempts) ---" -ForegroundColor Yellow
Write-Host "Please get a fresh token from Forgejo (tokens expire after a few minutes)" -ForegroundColor Yellow
$token = Read-Host "Please paste the challenge token from Forgejo here:"
if (-not (Test-TokenFormat -Token $token)) {
Write-Host "Invalid token format. Token should be 64 hexadecimal characters." -ForegroundColor Red
}
}
# Verify the token using the PowerShell command format provided by Forgejo
Write-Host "`nVerifying key with Forgejo...`n" -ForegroundColor Yellow
Write-Host "Running verification command using private key: $privateKeyPath" -ForegroundColor Yellow
Write-Host "--------------------------------------------------------" -ForegroundColor Yellow
try {
# Generate signature using the function
$verificationOutput = Get-SshSignature -Token $token -PrivateKeyPath $privateKeyPath
if ($LASTEXITCODE -ne 0) {
throw "SSH key signing failed with exit code $LASTEXITCODE"
}
Write-Host "`n--- Copy and Paste the Signature ---" -ForegroundColor Green
Write-Host "Please copy the FOLLOWING ENTIRE BLOCK (including BEGIN and END lines) and paste it back into the Forgejo web verification box:" -ForegroundColor Green
Write-Host "" # Add blank line before signature
$verificationOutput
Write-Host "" # Add blank line after signature
Write-Host "------------------------------------" -ForegroundColor Green
Write-Host "`n--- Final Steps (Manual on Forgejo Web Server) ---" -ForegroundColor Cyan
Write-Host "12. Paste the signature above into the verification box in Forgejo."
Write-Host "13. Click 'Verify'. You should see 'Successfully verified'."
Write-Host "14. Once verified, you can now test your SSH connection to Forgejo."
# Check verification status
Write-Host "`n--- Verification Status Check ---" -ForegroundColor Yellow
$verificationStatus = Read-Host "Did the verification pass in the Forgejo web interface? (Y/N)"
if ($verificationStatus -eq 'Y') {
$verificationPassed = $true
} else {
Write-Host "`nVerification failed. Here are some troubleshooting steps:" -ForegroundColor Red
Write-Host "1. Make sure you copied the ENTIRE signature block, including BEGIN and END lines" -ForegroundColor Yellow
Write-Host "2. Check that there are no extra spaces or line breaks in the signature" -ForegroundColor Yellow
Write-Host "3. Verify that the token was entered correctly" -ForegroundColor Yellow
Write-Host "4. The token may have expired - get a fresh token from Forgejo" -ForegroundColor Yellow
Write-Host "5. Try again with a new token" -ForegroundColor Yellow
if ($attempts -lt $maxAttempts) {
Write-Host "`nLet's try again with a new token..." -ForegroundColor Yellow
} else {
Write-Host "`nMaximum verification attempts reached. Please check your key and try again later." -ForegroundColor Red
exit
}
}
}
catch {
Write-Host "Error during verification: $_" -ForegroundColor Red
Write-Host "Output: $verificationOutput" -ForegroundColor Red
if ($attempts -lt $maxAttempts) {
Write-Host "`nLet's try again with a new token..." -ForegroundColor Yellow
} else {
Write-Host "`nMaximum verification attempts reached. Please check your key and try again later." -ForegroundColor Red
exit
}
}
}
# --- SSH Config Setup ---
Write-Host "`n--- SSH Config Setup (Optional) ---" -ForegroundColor Yellow
$setupConfig = Read-Host "Would you like to set up your SSH config for easier connections? (Y/N)"
if ($setupConfig -eq 'Y') {
$forgejoHost = Read-Host "Enter your Forgejo hostname (e.g., git.raines.xyz)"
$forgejoUser = Read-Host "Enter your Forgejo username"
$sshConfigPath = "$env:USERPROFILE\.ssh\config"
# Convert Windows path to forward slashes for SSH config
$sshPrivateKeyPath = $privateKeyPath.Replace('\', '/')
$configContent = @"
# Forgejo Configuration
Host $forgejoHost
HostName $forgejoHost
User $forgejoUser
IdentityFile $sshPrivateKeyPath
PreferredAuthentications publickey
PubkeyAuthentication yes
PasswordAuthentication no
"@
# Create .ssh directory if it doesn't exist
if (-not (Test-Path "$env:USERPROFILE\.ssh")) {
New-Item -ItemType Directory -Path "$env:USERPROFILE\.ssh" | Out-Null
}
# Check if config file exists and has duplicate entries
if (Test-Path $sshConfigPath) {
Write-Host "`nChecking for existing SSH config entries..." -ForegroundColor Yellow
$existingConfig = Get-Content $sshConfigPath
$hasDuplicate = $existingConfig -match "Host $forgejoHost"
if ($hasDuplicate.Count -gt 1) {
Write-Host "Found duplicate entries for $forgejoHost. Cleaning up config file..." -ForegroundColor Yellow
# Create backup of existing config
$backupPath = "$sshConfigPath.backup"
Copy-Item $sshConfigPath $backupPath
Write-Host "Created backup at: $backupPath" -ForegroundColor Yellow
# Remove all existing entries for this host
$newConfig = $existingConfig | Where-Object {
-not ($_ -match "Host $forgejoHost" -or
($_ -match "^\s+(HostName|User|IdentityFile|PreferredAuthentications|PubkeyAuthentication|PasswordAuthentication)" -and
$existingConfig[$existingConfig.IndexOf($_) - 1] -match "Host $forgejoHost"))
}
# Add new config
$newConfig += $configContent
Set-Content -Path $sshConfigPath -Value $newConfig
Write-Host "Updated SSH config with clean entry for $forgejoHost" -ForegroundColor Green
} else {
# No duplicates, just append
Add-Content -Path $sshConfigPath -Value $configContent
Write-Host "Added new SSH config entry for $forgejoHost" -ForegroundColor Green
}
} else {
# Create new config file
Set-Content -Path $sshConfigPath -Value $configContent
Write-Host "Created new SSH config file with entry for $forgejoHost" -ForegroundColor Green
}
Write-Host "`nSSH config has been updated. You can now connect using:" -ForegroundColor Green
Write-Host "ssh $forgejoHost" -ForegroundColor Cyan
Write-Host "`nYour SSH config is located at: $sshConfigPath" -ForegroundColor Yellow
# Wait a moment for the key to be fully processed
Write-Host "`nWaiting a moment for the key to be fully processed..." -ForegroundColor Yellow
Start-Sleep -Seconds 5
# Test the connection with verbose output
Write-Host "`n--- Testing SSH Connection ---" -ForegroundColor Yellow
Write-Host "Testing connection to $forgejoHost with verbose output..." -ForegroundColor Yellow
$testConnection = ssh -v -T $forgejoHost 2>&1
if ($LASTEXITCODE -eq 1) {
# Exit code 1 is actually success for SSH test connections
Write-Host "Connection successful! You can now use Git with your Forgejo repository." -ForegroundColor Green
} else {
Write-Host "Connection test failed. Here are some troubleshooting steps:" -ForegroundColor Red
Write-Host "1. Verify that your SSH key is properly added to your Forgejo account:" -ForegroundColor Yellow
Write-Host " - Check that the key appears in your SSH keys list" -ForegroundColor Yellow
Write-Host " - Verify that the key fingerprint matches: $((ssh-keygen -lf $publicKeyPath).Split(' ')[1])" -ForegroundColor Yellow
Write-Host "2. Check your SSH config:" -ForegroundColor Yellow
Write-Host " - Verify the hostname is correct: $forgejoHost" -ForegroundColor Yellow
Write-Host " - Verify the username is correct: $forgejoUser" -ForegroundColor Yellow
Write-Host " - Check that the key path is correct: $sshPrivateKeyPath" -ForegroundColor Yellow
Write-Host "3. Try connecting manually with verbose output:" -ForegroundColor Yellow
Write-Host " ssh -v -T $forgejoUser@$forgejoHost" -ForegroundColor Cyan
Write-Host "`nError output:" -ForegroundColor Red
$testConnection | ForEach-Object { Write-Host " $_" -ForegroundColor Red }
}
} else {
# If user didn't set up SSH config, still offer to test connection
Write-Host "`n--- Testing SSH Connection ---" -ForegroundColor Yellow
$testConnection = Read-Host "Would you like to test your SSH connection now? (Y/N)"
if ($testConnection -eq 'Y') {
$forgejoHost = Read-Host "Enter your Forgejo hostname (e.g., git.raines.xyz)"
$forgejoUser = Read-Host "Enter your Forgejo username"
Write-Host "`nTesting connection to $forgejoUser@$forgejoHost with verbose output..." -ForegroundColor Yellow
$testResult = ssh -v -T "$forgejoUser@$forgejoHost" 2>&1
if ($LASTEXITCODE -eq 1) {
Write-Host "Connection successful! You can now use Git with your Forgejo repository." -ForegroundColor Green
} else {
Write-Host "Connection test failed. Here are some troubleshooting steps:" -ForegroundColor Red
Write-Host "1. Verify that your SSH key is properly added to your Forgejo account:" -ForegroundColor Yellow
Write-Host " - Check that the key appears in your SSH keys list" -ForegroundColor Yellow
Write-Host " - Verify that the key fingerprint matches: $((ssh-keygen -lf $publicKeyPath).Split(' ')[1])" -ForegroundColor Yellow
Write-Host "2. Try connecting manually with verbose output:" -ForegroundColor Yellow
Write-Host " ssh -v -T $forgejoUser@$forgejoHost" -ForegroundColor Cyan
Write-Host "`nError output:" -ForegroundColor Red
$testResult | ForEach-Object { Write-Host " $_" -ForegroundColor Red }
}
}
}
Write-Host "`nProcess for SSH key setup and verification completed!" -ForegroundColor Green