bump gitea image version for quantum-safe SSH config #47

New Issue

Open

opened 2026-01-06 18:55:41 +00:00 by namnatulco · 3 comments

namnatulco commented 2026-01-06 18:55:41 +00:00

Copy Link

I pulled something from git.coopcloud.tech and got a warning:

 ssh git.coopcloud.tech 
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html

I managed to reproduce this locally with the setup from the rootless tutorial (using gitea/gitea:1.24.2-rootless):

ssh -p 2222 localhost
The authenticity of host '[localhost]:2222 ([::1]:2222)' can't be established.
RSA key fingerprint is: SHA256:S3JOp5zb21hgO+0XRNQg+bAapBp3OMdwXDyYLDWB6UM
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html

The SSH version:

nc localhost 2222
SSH-2.0-Go

bumping to gitea/gitea:latest-rootless fixes the issue (it does not give this warning before attempting the auth):

ssh -p 2222 localhost
namnatulco@localhost: Permission denied (publickey).

weirdly, the version is the same:

nc localhost 2222
SSH-2.0-Go

I pulled something from `git.coopcloud.tech` and got a warning: ``` ssh git.coopcloud.tech ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html ``` I managed to reproduce this locally with the [setup from the rootless tutorial](https://docs.gitea.com/installation/install-with-docker-rootless/) (using `gitea/gitea:1.24.2-rootless`): ``` ssh -p 2222 localhost The authenticity of host '[localhost]:2222 ([::1]:2222)' can't be established. RSA key fingerprint is: SHA256:S3JOp5zb21hgO+0XRNQg+bAapBp3OMdwXDyYLDWB6UM This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts. ** WARNING: connection is not using a post-quantum key exchange algorithm. ** This session may be vulnerable to "store now, decrypt later" attacks. ** The server may need to be upgraded. See https://openssh.com/pq.html ``` The SSH version: ``` nc localhost 2222 SSH-2.0-Go ``` bumping to `gitea/gitea:latest-rootless` fixes the issue (it does not give this warning before attempting the auth): ``` ssh -p 2222 localhost namnatulco@localhost: Permission denied (publickey). ``` weirdly, the version is the same: ``` nc localhost 2222 SSH-2.0-Go ```

namnatulco commented 2026-01-06 18:57:06 +00:00

Author

Copy Link

I'm assuming bumping to -latest is not a good idea; I assume a more recent version would work, but I lack the experience to test a potential upgrade (and I don't run a gitea myself).

The check whether it works is by looking at the KEX algorithms during the ssh connection setup. I assume there is also a way to check this in the container, but I didn't find any configs (presumably because they're in the go code somewhere?)
This shows up in the -vv output from SSH:

debug2: KEX algorithms: mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com

I'm assuming bumping to -latest is not a good idea; I assume a more recent version would work, but I lack the experience to test a potential upgrade (and I don't run a gitea myself). The check whether it works is by looking at the KEX algorithms during the ssh connection setup. I assume there is also a way to check this in the container, but I didn't find any configs (presumably because they're in the go code somewhere?) This shows up in the `-vv` output from SSH: ``` debug2: KEX algorithms: mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c,kex-strict-c-v00@openssh.com ```

namnatulco commented 2026-01-06 19:19:20 +00:00

Author

Copy Link

It is a bit offtopic but I really did not want to make a PR for a two-character documentation change: the URL in README.md should be: https://hub.docker.com/r/gitea/gitea (it 404s without the /r, iirc this was a dockerhub change some time ago)

It is a bit offtopic but I really did not want to make a PR for a two-character documentation change: the URL in `README.md` should be: https://hub.docker.com/r/gitea/gitea (it 404s without the `/r`, iirc this was a dockerhub change some time ago)

namnatulco commented 2026-01-06 19:33:24 +00:00

Author

Copy Link

I verified that 1.24.7 does not fix the issue, while 1.25.0 lists these breaking changes:

Return 201 Created for CreateVariable API responses (#34517)
Add label 'state' to metric 'gitea_users' (#34326)

I verified that `1.24.7` does **not** fix the issue, while `1.25.0` lists these breaking changes: > Return 201 Created for CreateVariable API responses (#34517) > Add label 'state' to metric 'gitea_users' (#34326)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

upgrade

lfs

smtp

push-to-create

work-path

backup-label

indexer

cr_landing_page

add_forgejo

postgres-db

cors-headers

renovate/master-docker-gitea-gitea-1.x

3.5.2+1.24.2-rootless

3.5.1+1.24.2-rootless

3.5.0+1.24.2-rootless

3.4.0+1.24.2-rootless

3.3.1+1.23.8-rootless

3.3.0+1.23.1-rootless

3.2.0+1.23.1-rootless

3.1.1+1.23.1-rootless

3.1.0+1.23.0-rootless

3.0.3+1.22.6-rootless

3.0.2+1.22.6-rootless

3.0.1+1.22.3-rootless

3.0.0+1.22.2-rootless

2.11.0+1.22.2-rootless

2.10.1+1.22.2-rootless

2.10.0+1.22.1-rootless

2.9.1+1.22.0-rootless

2.9.0+1.22.0-rootless

2.8.0+1.21.11-rootless

2.7.0+1.21.11-rootless

2.6.2+1.21.10-rootless

2.6.1+1.21.10-rootless

2.6.0+1.21.5-rootless

2.5.2+1.21.5-rootless

2.5.1+1.21.4-rootless

2.5.0+1.21.1-rootless

2.4.0+1.21.0-rootless

2.3.3+1.20.5-rootless

2.3.1+1.20.1-rootless

2.3.2+1.20.3-rootless

2.1.2+1.19.3-rootless

1.3.1+1.17.3-rootless

2.3.0+1.20.1-rootless

2.2.0+1.19.3-rootless

2.1.0+1.18.5-rootless

2.0.1+1.18.2-rootless

2.0.0+1.18.0-rootless

1.3.0+1.17.2-rootless

1.2.1+1.16.8-rootless

1.2.0+1.16.3-rootless

1.1.3+1.15.10-rootless

1.1.2+1.15.6-rootless

1.1.1+1.15.3-rootless

1.1.0+1.15.0-rootless

1.0.0+1.14.5-rootless

Labels

No items

No Label

Milestone

No items

No Milestone

Assignees

Clear assignees

3wordchant aadil abra-bot ammaratef45 Apfelwurm appletalk arjan basebuilder Brooke carla cas codegod100 coopcloud cyrnel decentral1se fauno flancian Frando iexos jade javielico jmakdah2 joe-irving kawaiipunk knoflook kolaente lambdabundesverband linnealovespie marlon mayel mirsal moritz nicksellen notplants p4u1 pau pharaohgraphy renovate-bot ripclap rix rscmbbng sef simon sixsmith stevensting tobias trav val vaznasty virtualboys wolcen wykwit xynosis yksflip

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: coop-cloud/gitea#47

No description provided.