Fix SSH key generation (#708)

Signed-off-by: Thomas Miceli <tho.miceli@gmail.com>
2026-06-19 07:36:56 +00:00 · 2026-06-04 02:09:26 +08:00
parent 8e462397f4
commit 3b8d947ad8
6 changed files with 21 additions and 17 deletions
@@ -51,7 +51,6 @@ FROM alpine:3.22 AS prod
 RUN apk update && \
    apk add --no-cache \
    shadow \
-    openssh-server \
    curl \
    git

@@ -91,9 +91,6 @@ ssh.port: 2222
 # If not set, uses the URL from the request
 ssh.external-domain:

-# Path or alias to ssh-keygen executable. Default: ssh-keygen
-ssh.keygen-executable: ssh-keygen
-
 # OAuth2 configuration
 # The callback/redirect URL must be http://opengist.url/oauth/<github|gitlab|gitea|openid-connect>/callback

@@ -30,7 +30,6 @@ aside: false
 | ssh.host                | OG_SSH_HOST                         | `0.0.0.0`             | The host on which the SSH server should bind.                                                                                                                                                                                    |
 | ssh.port                | OG_SSH_PORT                         | `2222`                | The port on which the SSH server should listen.                                                                                                                                                                                  |
 | ssh.external-domain     | OG_SSH_EXTERNAL_DOMAIN              | none                  | Public domain for the Git SSH connection, if it has to be different from the HTTP one. If not set, uses the URL from the request.                                                                                                |
-| ssh.keygen-executable   | OG_SSH_KEYGEN_EXECUTABLE            | `ssh-keygen`          | Path to the SSH key generation executable.                                                                                                                                                                                       |
 | github.client-key       | OG_GITHUB_CLIENT_KEY                | none                  | The client key for the GitHub OAuth application.                                                                                                                                                                                 |
 | github.secret           | OG_GITHUB_SECRET                    | none                  | The secret for the GitHub OAuth application.                                                                                                                                                                                     |
 | gitlab.client-key       | OG_GITLAB_CLIENT_KEY                | none                  | The client key for the GitLab OAuth application.                                                                                                                                                                                 |
@@ -61,7 +61,6 @@ type config struct {
 	SshHost           string `yaml:"ssh.host" env:"OG_SSH_HOST"`
 	SshPort           string `yaml:"ssh.port" env:"OG_SSH_PORT"`
 	SshExternalDomain string `yaml:"ssh.external-domain" env:"OG_SSH_EXTERNAL_DOMAIN"`
-	SshKeygen         string `yaml:"ssh.keygen-executable" env:"OG_SSH_KEYGEN_EXECUTABLE"`

 	GithubClientKey string `yaml:"github.client-key" env:"OG_GITHUB_CLIENT_KEY"`
 	GithubSecret    string `yaml:"github.secret" env:"OG_GITHUB_SECRET"`
@@ -129,7 +128,6 @@ func configWithDefaults() (*config, error) {
 	c.SshGit = true
 	c.SshHost = "0.0.0.0"
 	c.SshPort = "2222"
-	c.SshKeygen = "ssh-keygen"

 	c.GitlabName = "GitLab"

@@ -1,6 +1,9 @@
 package ssh

 import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/pem"
 	"errors"
 	"github.com/rs/zerolog/log"
 	"github.com/thomiceli/opengist/internal/config"
@@ -10,7 +13,6 @@ import (
 	"io"
 	"net"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strings"
 	"syscall"
@@ -127,16 +129,12 @@ func setupHostKey() (ssh.Signer, error) {
 	}

 	keyPath := filepath.Join(dir, "opengist-ed25519")
-	if _, err := os.Stat(keyPath); err != nil && !os.IsExist(err) {
-		cmd := exec.Command(config.C.SshKeygen,
-			"-t", "ssh-ed25519",
-			"-f", keyPath,
-			"-m", "PEM",
-			"-N", "")
-		err = cmd.Run()
-		if err != nil {
+	if _, err := os.Stat(keyPath); errors.Is(err, os.ErrNotExist) {
+		if err = generateHostKey(keyPath); err != nil {
 			return nil, err
 		}
+	} else if err != nil {
+		return nil, err
 	}

 	keyData, err := os.ReadFile(keyPath)
@@ -152,6 +150,20 @@ func setupHostKey() (ssh.Signer, error) {
 	return signer, nil
 }

+func generateHostKey(keyPath string) error {
+	_, priv, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return err
+	}
+
+	block, err := ssh.MarshalPrivateKey(priv, "")
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(keyPath, pem.EncodeToMemory(block), 0600)
+}
+
 func errorSsh(message string, err error) {
 	log.Error().Err(err).Msg("SSH: " + message)
 }
@@ -46,7 +46,6 @@
            <dt>SSH host</dt><dd>{{ .c.SshHost }}</dd>
            <dt>SSH port</dt><dd>{{ .c.SshPort }}</dd>
            <dt>SSH external domain</dt><dd>{{ .c.SshExternalDomain }}</dd>
-            <dt>SSH Keygen</dt><dd>{{ .c.SshKeygen }}</dd>
            <div class="relative col-span-3 mt-4">
                <div class="absolute inset-0 flex items-center" aria-hidden="true">
                    <div class="w-full border-t border-gray-300"></div>