I’m having an issue with ssh.
A clean install of gogs (from binary) has 2 users. Built in ssh server is enabled but none of the users has added an ssh key.
After creating a bare clone from a bitbucket repository, setting gogs as origin and pushing it, everything seems to be OK. All branches are there as well as all commit info,etc. The problem is that I am able to clone the repository using ssh. Since my user does not have an ssh-key and there are no deploy keys for the repository set in gogs, this should not be possible.
When the second user imports an other bitbucket repository (to which I do not have access in bitbucket) I am not able to clone it using ssh.
So it seems there is some meta data in the repository that contains ssh pubkeys and they are also used to verify access to the repository. This could be a security risk; if an ex-employee, that once had access, can still use his ssh-key even though he/she does not even have a user on gogs.
Is there a way to make sure only access is granted if the user has propper access defined in gogs?