Setting up Forgejo with SSH

ahoneybun · December 25, 2025, 4:50pm

This is what I get:

❯ ssh -vvv ssh://git.ahoneybun.net
debug1: OpenSSH_10.0p2 Ubuntu-5ubuntu5, OpenSSL 3.5.3 16 Sep 2025
debug3: Running on Linux 6.17.0-8-generic #8-Ubuntu SMP PREEMPT_DYNAMIC Fri Nov 14 20:54:15 UTC 2025 aarch64
debug3: Started with: ssh -vvv ssh://git.ahoneybun.net
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 19: Including file /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: expanded UserKnownHostsFile ‘~/.ssh/known_hosts’ → ‘/home/aaron/.ssh/known_hosts’
debug3: expanded UserKnownHostsFile ‘~/.ssh/known_hosts2’ → ‘/home/aaron/.ssh/known_hosts2’
debug2: resolving “git.ahoneybun.net” port 22
debug3: resolve_host: lookup git.ahoneybun.net:22
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to git.ahoneybun.net [2606:4700:3033::6815:27ca] port 22.
debug3: set_sock_tos: set socket 3 IPV6_TCLASS 0x10

waffle8946 · December 25, 2025, 5:20pm

I’m not talking about the authorized_keys file here, I’m talking about ~/.ssh/config for your local personal user - aaron.

Yes, you use the path to your private key in that file.

ahoneybun · December 25, 2025, 5:32pm

That private key is not stored on the server (or the public key), it just needs the public key in the authorized_keys file for me to ssh in at the aaronh user.

ahoneybun · December 25, 2025, 5:37pm

Alright I copied the private key over and made a ~/.ssh/config file like you showed pointing to the private key. I’m checking about restarting ssh to test an ssh connection again.

EDIT: same connection issue. I also set services.openssh.openFirewall to enable with the same results.

waffle8946 · December 25, 2025, 5:51pm

I didn’t say to copy over the private key to the server? You need that config and private key on whatever machine you’re sshing from.

ahoneybun · December 25, 2025, 6:20pm

ah you meant on the local system connecting to the server, got it.

The output looks similar still:

❯ ssh -vvv git@git.ahoneybun.net
debug1: OpenSSH_10.0p2 Ubuntu-5ubuntu5, OpenSSL 3.5.3 16 Sep 2025
debug3: Running on Linux 6.17.0-8-generic #8-Ubuntu SMP PREEMPT_DYNAMIC Fri Nov 14 20:54:15 UTC 2025 aarch64
debug3: Started with: ssh -vvv ``git@git.ahoneybun.net
debug1: Reading configuration data /home/aaron/.ssh/config
debug1: /home/aaron/.ssh/config line 1: Applying options for ``git.ahoneybun.net
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 19: Including file /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: expanded UserKnownHostsFile ‘~/.ssh/known_hosts’ → ‘/home/aaron/.ssh/known_hosts’
debug3: expanded UserKnownHostsFile ‘~/.ssh/known_hosts2’ → ‘/home/aaron/.ssh/known_hosts2’
debug2: resolving “``git.ahoneybun.net``” port 22
debug3: resolve_host: lookup ``git.ahoneybun.net:22
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to ``git.ahoneybun.net`` [2606:4700:3035::ac43:ab5b] port 22.
debug3: set_sock_tos: set socket 3 IPV6_TCLASS 0x10

TLATER · December 25, 2025, 10:02pm

That looks like a successful connection to me; -Tvvv would be a bit clearer.

If you run whoami on the server afterwards, which user do you get?

ahoneybun · December 25, 2025, 11:26pm

I see this output with that option for ssh

❯ ssh -Tvvv git@git.ahoneybun.net
debug1: OpenSSH_10.0p2 Ubuntu-5ubuntu5, OpenSSL 3.5.3 16 Sep 2025
debug3: Running on Linux 6.17.0-8-generic #8-Ubuntu SMP PREEMPT_DYNAMIC Fri Nov 14 20:54:15 UTC 2025 aarch64
debug3: Started with: ssh -Tvvv git@git.ahoneybun.net
debug1: Reading configuration data /home/aaron/.ssh/config
debug1: /home/aaron/.ssh/config line 1: Applying options for git.ahoneybun.net
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 19: Including file /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/20-systemd-ssh-proxy.conf
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug3: expanded UserKnownHostsFile ‘~/.ssh/known_hosts’ → ‘/home/aaron/.ssh/known_hosts’
debug3: expanded UserKnownHostsFile ‘~/.ssh/known_hosts2’ → ‘/home/aaron/.ssh/known_hosts2’
debug2: resolving “git.ahoneybun.net” port 22
debug3: resolve_host: lookup git.ahoneybun.net:22
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to git.ahoneybun.net [2606:4700:3035::ac43:ab5b] port 22.
debug3: set_sock_tos: set socket 3 IPV6_TCLASS 0x10

I still can’t clone with ssh though.

The whoami would just show who I am logged in as which would be aaronh.

NobbZ · December 26, 2025, 12:02am

What command for using the clone and what is the error?

No. Should be git, given the last ssh command you ran…

TLATER · December 26, 2025, 1:17am

Which is why I’m asking - if it shows aaronh your ~/.ssh/config doesn’t match (which makes sense since the user is wrong) and none of the debugging so far applies.

git shouldn’t be working anyway, the user should be forgejo, as in @waffle8946 's config; you shouldn’t have the correct certs for a git user.

It’s very weird that you’re getting anything but an authentication error. Does ~/.ssh/config override users specified on the CLI, or do you actually have a user named git? Even if you do, how is authentication working, are you typing in a password?

Can you share your config for services.openssh so we’re not just blindly guessing?

ahoneybun · December 26, 2025, 1:18am

Command for the clone:

git clone ssh://forgejo@git.ahoneybun.net/ahoneybun/lazarus.git

I’m not sure how you would get that, if you run whoami when you are logged in you will get the username you used to log in such as aaronh in my case.

TLATER · December 26, 2025, 1:19am

No, you used the git user to log in, as seen in your command:

The git@ bit means “please log me in as git, ssh”.

ahoneybun · December 26, 2025, 1:21am

I did not, for the server running NixOS I just have the aaronh user, I have the default username for forgejo.nix

For services.openssh I have this on the server:

services.openssh.enable = true;
#services.openssh.openFirewall = true;
services.openssh.settings = {
PermitRootLogin = “no”;
};

ahoneybun · December 26, 2025, 1:22am

local system (Ubuntu):

❯ cat ~/.ssh/config
Host git.ahoneybun.net
User forgejo
IdentityFile /home/aaron/.ssh/protonmail

TLATER · December 26, 2025, 1:22am

I’m beginning to suspect you have an exit in your server’s .bashrc, or you’re exec-ing a command that immediately fails, or something along those lines. That could explain why git clone isn’t working, too.

ahoneybun · December 26, 2025, 1:24am

There is no .bashrc for my aaronh user on the server and no other user home folder either.

NobbZ · December 26, 2025, 9:20am

You used git@host, if the user then is not git, there is something totally weird going on!

NobbZ · December 26, 2025, 9:21am

And what is the exact error you get here?

apfelkuchen6 · December 26, 2025, 10:23am

Are you sure that git.ahoneybun.net resolves to the host you’re running forgejo on? It looks like that domain resolves to some clouldflare (https) reverse proxy to me. Do you intend to use some sort of split-dns hack?

ahoneybun · December 26, 2025, 12:22pm

I use git.ahoneybun.net as the domain which points to my home server with Forgejo running on port 3001.