- This post is based on Gogs 0.8.47.0227.
- If you want to disable SSH feature, simply set
[server] DISABLE_SSH = true, and skip the rest of post.
There are two cases when setting up SSH for Gogs.
1. Use standalone service like OpenSSH server
[server] SSH_DOMAIN: defines which domain to be exposed in clone URL, you can leave it blank to use the same value as your web server domain (
[server] SSH_PORT: defines which port the SSH service is listening on, this port number is used to be exposed in clone URL. The default value is
22, and in most of the cases, you don’t need to change it.
Gogs needs to generate special commands along with your public keys to the
command="/path/to/gogs serv key-1 --config='/path/to/custom/conf/app.ini'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss AAAAB3NzaC1kc3M...
This is why you have to add your public key through Gogs web UI, and want to make sure same public key only exists once in the file, which is generated by Gogs.
In case that your SSH service does not use
~/.ssh/authorized_keys file to store public keys, you can config
[server] SSH_ROOT_PATH to be the directory which contains
If you messed up the
authorized_keys file, don’t panic, go to
/admin and execute operation
Rewrite '.ssh/authorized_keys' file.
While using standalone SSH service, you’re not able to login remote shell with the same public key anymore, that’s why we recommend you create a separate user specifically for Gogs.
Another way to get around with this to generate a separate public key only for the purpose of Gogs, such as
~/.ssh/id_rsa_gogs.pub on your local computer. Then config your
~/.ssh/config file in the following way (adjust your settings):
Host gogs HostName git.example.com IdentityFile ~/.ssh/id_rsa_gogs IdentitiesOnly Yes
There are some config settings you typically do not need to care about, but just in case you encounter some problem:
SSH_KEY_TEST_PATH: the directory where to generate the temporary public key file to verify with
ssh-keygen. The default is the system temporary directory.
SSH_KEYGEN_PATH: indicate which
ssh-keygenproblem you want to use. The default is
ssh-keygenand lets shell find out which one to use.
MINIMUM_KEY_SIZE_CHECK: indicate whether to check the minimum size of public keys. The default value is
[ssh.minimum_key_sizes]section: this section define what are the minimum sizes of public keys,
-1means a particular key is disabled.
2. Use built-in SSH server
To use built-in SSH server, you need to config
[server] START_SSH_SERVER = true. It shares the same config options to compose clone URL.
By default, it listens on the same port as exposed in the clone URL, you can change the listening port through config option
[server] SSH_LISTEN_PORT to
2222 or whatever.
Built-in SSH server does not rely on
authorized_keys file because it directly searches the database.
To confirm the built-in SSH server actually starts, check your Gogs console logs with the following line:
... 2016/02/25 00:21:50 [I] SSH server started on :2222 ...
Use SQLite3 as database
If you’re using SQLite3 as your database backend, it is recommended that you put the absolute path for config option
You can go to admin dashboard (
/admin/config) to verify if your settings are taking effect:
Please leave comments if you have any questions or concerns about this post.