feat(ssh): auto generate additional ssh keys (#33974)

adds capabilities for gitea to generate ecdsa and ed25519 keys by default adds cli for built-in ssh key generation helpers closes: https://github.com/go-gitea/gitea/issues/33783 --------- Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io>
2026-06-15 20:25:18 +02:00 · 2026-06-08 20:18:58 +02:00
parent ade76fe838
commit d76a974b24
9 changed files with 351 additions and 74 deletions
--- a/cmd/generate.go
+++ b/cmd/generate.go
@@ -6,10 +6,12 @@ package cmd

 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"

 	"gitea.dev/modules/generate"
+	"gitea.dev/modules/ssh"

 	"github.com/mattn/go-isatty"
 	"github.com/urfave/cli/v3"
@@ -21,6 +23,7 @@ func newGenerateCommand() *cli.Command {
 		Usage: "Generate Gitea's secrets/keys/tokens",
 		Commands: []*cli.Command{
 			newGenerateSecretCommand(),
+			newGenerateSSHCommand(),
 		},
 	}
 }
@@ -37,6 +40,17 @@ func newGenerateSecretCommand() *cli.Command {
 	}
 }

+func newGenerateSSHCommand() *cli.Command {
+	return &cli.Command{
+		Name:  "ssh",
+		Usage: "Generate ssh keys",
+		Commands: []*cli.Command{
+			newGenerateSSHKeyCommand(),
+			newGenerateSSHHostKeysCommand(),
+		},
+	}
+}
+
 func newGenerateInternalTokenCommand() *cli.Command {
 	return &cli.Command{
 		Name:   "INTERNAL_TOKEN",
@@ -62,6 +76,30 @@ func newGenerateSecretKeyCommand() *cli.Command {
 	}
 }

+func newGenerateSSHKeyCommand() *cli.Command {
+	return &cli.Command{
+		Name:  "key",
+		Usage: "Generate a new ssh key",
+		Flags: []cli.Flag{
+			&cli.IntFlag{Name: "bits", Aliases: []string{"b"}, Usage: "Number of bits in the key, ignored when key is ed25519"},
+			&cli.StringFlag{Name: "type", Aliases: []string{"t"}, Value: "ed25519", Usage: "Specifies the type of key to create."},
+			&cli.StringFlag{Name: "file", Aliases: []string{"f"}, Usage: "Specifies the path or base directory for the key file", Required: true},
+		},
+		Action: runGenerateKeyPair,
+	}
+}
+
+func newGenerateSSHHostKeysCommand() *cli.Command {
+	return &cli.Command{
+		Name:  "host-keys",
+		Usage: "Generate host keys of all default key types (rsa, ecdsa, and ed25519) if they do not already exist.",
+		Flags: []cli.Flag{
+			&cli.StringFlag{Name: "dir", Aliases: []string{"d"}, Usage: "Specifies the base directory for the key files", Required: true},
+		},
+		Action: runGenerateHostKey,
+	}
+}
+
 func runGenerateInternalToken(_ context.Context, c *cli.Command) error {
 	internalToken, err := generate.NewInternalToken()
 	if err != nil {
@@ -103,3 +141,41 @@ func runGenerateSecretKey(_ context.Context, c *cli.Command) error {

 	return nil
 }
+
+func runGenerateHostKey(_ context.Context, c *cli.Command) error {
+	file := c.String("dir")
+	info, err := os.Stat(file)
+	if errors.Is(err, os.ErrNotExist) {
+		if err = os.MkdirAll(file, 0o644); err != nil {
+			return err
+		}
+	} else if err != nil {
+		return err
+	} else if !info.IsDir() {
+		return errors.New("file already exists and is not a directory")
+	}
+	fmt.Fprintf(c.Writer, "Generating host keys in %s\n", file)
+	_, err = ssh.InitDefaultHostKeys(file)
+	return err
+}
+
+func runGenerateKeyPair(_ context.Context, c *cli.Command) error {
+	file := c.String("file")
+	keyType := c.String("type")
+
+	fmt.Fprintf(c.Writer, "Generating public/private %s key pair.\n", keyType)
+
+	// Check if file exists to prevent overwriting
+	if _, err := os.Stat(file); err == nil {
+		if !confirm(c.Reader, c.Writer, "%s already exists.\nOverwrite (y/n)? ", file) {
+			fmt.Println("Aborting")
+			return nil
+		}
+	}
+	bits := c.Int("bits")
+	err := ssh.GenKeyPair(file, generate.SSHKeyType(keyType), bits)
+	if err == nil {
+		fmt.Printf("Your SSH key has been saved in %s\n", file)
+	}
+	return err
+}
--- a/cmd/helper.go
+++ b/cmd/helper.go
@@ -38,22 +38,15 @@ func argsSet(c *cli.Command, args ...string) error {
 }

 // confirm waits for user input which confirms an action
-func confirm() (bool, error) {
+func confirm(stdin io.Reader, stdout io.Writer, msg string, args ...any) bool {
 	var response string
-
-	_, err := fmt.Scanln(&response)
-	if err != nil {
-		return false, err
-	}
-
+	_, _ = fmt.Fprintf(stdout, msg, args...)
+	_, _ = fmt.Fscanln(stdin, &response)
 	switch strings.ToLower(response) {
 	case "y", "yes":
-		return true, nil
-	case "n", "no":
-		return false, nil
-	default:
-		return false, errors.New(response + " isn't a correct confirmation string")
+		return true
 	}
+	return false
 }

 func initDB(ctx context.Context) error {
--- a/cmd/mailer.go
+++ b/cmd/mailer.go
@@ -22,14 +22,10 @@ func runSendMail(ctx context.Context, c *cli.Command) error {

 	if !confirmSkipped {
 		if len(body) == 0 {
-			fmt.Print("warning: Content is empty")
+			fmt.Println("warning: Content is empty")
 		}

-		fmt.Print("Proceed with sending email? [Y/n] ")
-		isConfirmed, err := confirm()
-		if err != nil {
-			return err
-		} else if !isConfirmed {
+		if !confirm(c.Reader, c.Writer, "Proceed with sending email? [Y/n] ") {
 			fmt.Println("The mail was not sent")
 			return nil
 		}