add keyinit to better mimick behavior of ssh-keygen

Author: TheFox0x7

modules/ssh/ssh.go

@@ -373,17 +373,16 @@ func Listen(host string, port int, ciphers, keyExchanges, macs []string) {
 	}
 
 	if len(keys) == 0 {
-		for i := range 3 {
-			filename := setting.SSH.ServerHostKeys[i]
-			filePath := filepath.Dir(filename)
-			if err := os.MkdirAll(filePath, os.ModePerm); err != nil {
-				log.Error("Failed to create dir %s: %v", filePath, err)
-			}
-			err := GenKeyPair(filename)
-			if err != nil {
-				log.Fatal("Failed to generate private key: %v", err)
-			}
-			log.Trace("New private key is generated: %s", filename)
+		filePath := filepath.Dir(setting.SSH.ServerHostKeys[0])
+		if err := os.MkdirAll(filePath, os.ModePerm); err != nil {
+			log.Error("Failed to create dir %s: %v", filePath, err)
+		}
+		err := initDefaultKeys(filePath)
+		if err != nil {
+			log.Fatal("Failed to generate private key: %v", err)
+		}
+		for _, keytype := range []string{"rsa", "ecdsa", "ed25519"} {
+			filename := filePath + "/gitea." + keytype
 			keys = append(keys, filename)
 		}
 	}
@@ -405,17 +404,12 @@ func Listen(host string, port int, ciphers, keyExchanges, macs []string) {
 // GenKeyPair make a pair of public and private keys for SSH access.
 // Public key is encoded in the format for inclusion in an OpenSSH authorized_keys file.
 // Private Key generated is PEM encoded
-func GenKeyPair(keyPath string) error {
+func GenKeyPair(keyPath, keytype string) error {
 	bits := 4096
-	keytype := filepath.Ext(keyPath)
-	if keytype == ".ed25519" {
-		keytype = "ed25519"
-	} else if keytype == ".ecdsa" {
+	if keytype == "ecdsa" {
 		bits = 256
-		keytype = "ecdsa"
-	} else {
-		keytype = "rsa"
 	}
+
 	publicKey, privateKeyPEM, err := generate.NewSSHKey(keytype, bits)
 	if err != nil {
 		return err
@@ -448,3 +442,19 @@ func GenKeyPair(keyPath string) error {
 	_, err = p.Write(public)
 	return err
 }
+
+// initDefaultKeys mirrors how ssh-keygen -A operates
+// it runs checks if public and private keys are already defined and creates new ones if not present
+// key naming does not follow the openssh convention due to existing settings being gitea.{keytype} so generation follows gitea convention
+func initDefaultKeys(path string) error {
+	var errs []error
+	keytypes := []string{"rsa", "ecdsa", "ed25519"}
+	for _, keytype := range keytypes {
+		privExists, _ := util.IsExist(path + "/gitea." + keytype)
+		pubExists, _ := util.IsExist(path + "/gitea." + keytype + ".pub")
+		if !privExists || !pubExists {
+			errs = append(errs, GenKeyPair(path+"/gitea."+keytype, keytype))
+		}
+	}
+	return errors.Join(errs...)
+}

modules/ssh/ssh_test.go

@@ -1,7 +1,7 @@
 // Copyright 2025 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 
-package ssh_test
+package ssh
 
 import (
 	"crypto/ecdsa"
@@ -12,35 +12,33 @@ import (
 	"path/filepath"
 	"testing"
 
-	"code.gitea.io/gitea/modules/ssh"
-
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	gossh "golang.org/x/crypto/ssh"
 )
 
 func TestGenKeyPair(t *testing.T) {
 	testCases := []struct {
-		keyPath      string
+		keyType      string
 		expectedType any
 	}{
 		{
-			keyPath:      "/gitea.rsa",
+			keyType:      "rsa",
 			expectedType: &rsa.PrivateKey{},
 		},
 		{
-			keyPath:      "/gitea.ed25519",
+			keyType:      "ed25519",
 			expectedType: &ed25519.PrivateKey{},
 		},
 		{
-			keyPath:      "/gitea.ecdsa",
+			keyType:      "ecdsa",
 			expectedType: &ecdsa.PrivateKey{},
 		},
 	}
 	for _, tC := range testCases {
-		t.Run("Generate "+filepath.Ext(tC.keyPath), func(t *testing.T) {
-			path := t.TempDir() + tC.keyPath
-			require.NoError(t, ssh.GenKeyPair(path))
+		t.Run("Generate "+filepath.Ext(tC.keyType), func(t *testing.T) {
+			path := t.TempDir() + "gitea." + tC.keyType
+			require.NoError(t, GenKeyPair(path, tC.keyType))
 
 			file, err := os.Open(path)
 			require.NoError(t, err)
@@ -53,4 +51,68 @@ func TestGenKeyPair(t *testing.T) {
 			assert.IsType(t, tC.expectedType, privateKey)
 		})
 	}
+	t.Run("Generate unknown keytype", func(t *testing.T) {
+		path := t.TempDir() + "gitea.badkey"
+
+		err := GenKeyPair(path, "badkey")
+		require.Error(t, err)
+	})
+}
+
+func TestInitKeys(t *testing.T) {
+	tempDir := t.TempDir()
+
+	keytypes := []string{"rsa", "ecdsa", "ed25519"}
+	for _, keytype := range keytypes {
+		privKeyPath := filepath.Join(tempDir, "gitea."+keytype)
+		pubKeyPath := filepath.Join(tempDir, "gitea."+keytype+".pub")
+		assert.NoFileExists(t, privKeyPath)
+		assert.NoFileExists(t, pubKeyPath)
+	}
+
+	// Test basic creation
+	err := initDefaultKeys(tempDir)
+	require.NoError(t, err)
+
+	metadata := map[string]os.FileInfo{}
+	for _, keytype := range keytypes {
+		privKeyPath := filepath.Join(tempDir, "gitea."+keytype)
+		pubKeyPath := filepath.Join(tempDir, "gitea."+keytype+".pub")
+		assert.FileExists(t, privKeyPath)
+		assert.FileExists(t, pubKeyPath)
+
+		info, err := os.Stat(privKeyPath)
+		require.NoError(t, err)
+		metadata[privKeyPath] = info
+
+		info, err = os.Stat(pubKeyPath)
+		require.NoError(t, err)
+		metadata[pubKeyPath] = info
+	}
+
+	// Test recreation on missing public or private key
+	require.NoError(t, os.Remove(filepath.Join(tempDir, "gitea.ecdsa.pub")))
+	require.NoError(t, os.Remove(filepath.Join(tempDir, "gitea.ed25519")))
+
+	err = initDefaultKeys(tempDir)
+	require.NoError(t, err)
+
+	for _, keytype := range keytypes {
+		privKeyPath := filepath.Join(tempDir, "gitea."+keytype)
+		pubKeyPath := filepath.Join(tempDir, "gitea."+keytype+".pub")
+		assert.FileExists(t, privKeyPath)
+		assert.FileExists(t, pubKeyPath)
+
+		infoPriv, err := os.Stat(privKeyPath)
+		require.NoError(t, err)
+		infoPub, err := os.Stat(pubKeyPath)
+		require.NoError(t, err)
+		if keytype == "rsa" {
+			assert.Equal(t, metadata[privKeyPath], infoPriv)
+			assert.Equal(t, metadata[pubKeyPath], infoPub)
+		} else {
+			assert.NotEqual(t, metadata[privKeyPath], infoPriv)
+			assert.NotEqual(t, metadata[pubKeyPath], infoPub)
+		}
+	}
 }