How can SSH access be possible if no pubkey was added

I’m having an issue with ssh.

A clean install of gogs (from binary) has 2 users. Built in ssh server is enabled but none of the users has added an ssh key.

After creating a bare clone from a bitbucket repository, setting gogs as origin and pushing it, everything seems to be OK. All branches are there as well as all commit info,etc. The problem is that I am able to clone the repository using ssh. Since my user does not have an ssh-key and there are no deploy keys for the repository set in gogs, this should not be possible.
When the second user imports an other bitbucket repository (to which I do not have access in bitbucket) I am not able to clone it using ssh.

So it seems there is some meta data in the repository that contains ssh pubkeys and they are also used to verify access to the repository. This could be a security risk; if an ex-employee, that once had access, can still use his ssh-key even though he/she does not even have a user on gogs.

Is there a way to make sure only access is granted if the user has propper access defined in gogs?

Try to set your repository to private in the setting UI of the repository.

It seems that Gogs is similar to GitHub. There are 2 basic access types of repositories: public and private. Everyone (even not registered) have read access for public repositories. Only permitted users can access private repositories.

You may try to create an organization. Put users and repositories into the organization. And configure only organization members can access these repositories. You can remove user from organization if someone leaves so that the user can not access these repositories anymore. I have not tried that. You can figure it out.