git lfs with ssh

[laoshaw]

To get git-lfs working with ssh/scp it can be redirected to http/https as native ssh support is not implemented upstream, below is related info:

https://github.com/git-lfs/git-lfs/blob/master/docs/custom-transfers.md#using-a-custom-transfer-type-without-the-api-server

git-lfs/git-lfs#1044

[bkcsoft]

Those transfer-hooks are client-side so we can't make that happen unfortunately. Only way to get real SSH-support is to get it upstream in the issue you linked :(

[bkcsoft]

The only solution today is to have SSH return a JSON-payload for redirecting it to HTTP(S) git-lfs/git-lfs#1044 (comment) which is fairly straight forward to add:

• If the command is git-lfs-authenticate
  https://gitlab.com/gitlab-org/gitlab-shell/blob/master/lib/gitlab_shell.rb#L121-126
• Verify user permissions:
  https://gitlab.com/gitlab-org/gitlab-shell/blob/master/lib/gitlab_shell.rb#L214-220
• And return the payload:
  https://gitlab.com/gitlab-org/gitlab-shell/blob/master/lib/gitlab_lfs_authentication.rb

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

[ukos-git]

I can not get ssh authentification to work so I guess this is still an open issue

I don't know where to start for the solution proposed by @bkcsoft .

gitea/cmd/serv.go

Lines 137 to 147 in b03d780

	if verb == lfsAuthenticateVerb {
	if !setting.LFS.StartServer {
	fail("Unknown git command", "LFS authentication request over SSH denied, LFS support is disabled")
	}
	argsSplit := strings.Split(args, " ")
	if len(argsSplit) >= 2 {
	args = strings.TrimSpace(argsSplit[0])
	lfsVerb = strings.TrimSpace(argsSplit[1])
	}
	}

Can you look again at ssh authentification for lfs in gitea @fabian-z @lunny

[fabian-z]

Well, we should already be doing what @bkcsoft suggested and it worked in my original tests.

This code is responsible for implementing server discovery by returning the proper URL and authentication token if called via SSH:

gitea/cmd/serv.go

Lines 292 to 326 in b03d780

	if verb == lfsAuthenticateVerb {
	url := fmt.Sprintf("%s%s/%s.git/info/lfs", setting.AppURL, username, repo.Name)
	now := time.Now()
	claims := jwt.MapClaims{
	"repo": repo.ID,
	"op": lfsVerb,
	"exp": now.Add(setting.LFS.HTTPAuthExpiry).Unix(),
	"nbf": now.Unix(),
	}
	if user != nil {
	claims["user"] = user.ID
	}
	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	// Sign and get the complete encoded token as a string using the secret
	tokenString, err := token.SignedString(setting.LFS.JWTSecretBytes)
	if err != nil {
	fail("Internal error", "Failed to sign JWT token: %v", err)
	}
	tokenAuthentication := &models.LFSTokenResponse{
	Header: make(map[string]string),
	Href: url,
	}
	tokenAuthentication.Header["Authorization"] = fmt.Sprintf("Bearer %s", tokenString)
	enc := json.NewEncoder(os.Stdout)
	err = enc.Encode(tokenAuthentication)
	if err != nil {
	fail("Internal error", "Failed to encode LFS json response: %v", err)
	}
	return nil
	}

It seems there is some confusion about the subject of this issue.

One aspect is server discovery / authentication using SSH. This should be implemented and working according to the LFS API docs.

Another one is transfer of data with SSH instead of HTTPS. This is currently not part of the LFS specification and therefore also not implemented, still to be decided upstream (see git-lfs/git-lfs#1044)

@ukos-git: Could you elaborate on what part of SSH authentication is not working for you? What did you do, what errors are you getting? Please make sure your server has a working HTTPS configuration.

@laoshaw: Are you only asking for a pure SSH based transport without HTTPS (as in the linked git-lfs issue)? Do you experience issues when using SSH remotes? Please also make sure your server has a working HTTPS configuration.

[ukos-git]

Authentification is working now.

ssh ssh://git@mygitproject git-lfs-authenticate user/repo download

{
  "header": {
    "Authorization": "Bearer XYZ"
  },
  "href": "https://mygitproject/user/repo.git/info/lfs"
}

I got probably confused during the setup.

Since the gitea implementation is actually working, we should close this issue here. implementation of scp is an upstream git-lfs problem.