LoginGraceTime on second push

[TobiZog]

Description

If I pushed something to my Gitea instance, everything works fine. But the second, third, ... push will be rejected sometimes. The server shows these logs:

2025-04-11T10:22:29.612108921Z Timeout before authentication for connection from 172.18.0.8 to 172.18.0.4, pid = 4246
2025-04-11T10:22:39.011155983Z drop connection #1 from [172.18.0.8]:52934 on [172.18.0.4]:22 penalty: exceeded LoginGraceTime
2025-04-11T10:22:42.360812378Z drop connection #1 from [172.18.0.8]:52936 on [172.18.0.4]:22 penalty: exceeded LoginGraceTime
2025-04-11T10:23:00.528575636Z drop connection #1 from [172.18.0.8]:52938 on [172.18.0.4]:22 penalty: exceeded LoginGraceTime
2025-04-11T10:24:24.805145353Z Timeout before authentication for connection from 172.18.0.8 to 172.18.0.4, pid = 4247
2025-04-11T10:24:32.999645959Z drop connection #1 from [172.18.0.8]:52942 on [172.18.0.4]:22 penalty: exceeded LoginGraceTime
2025-04-11T10:25:48.791944890Z drop connection #1 from [172.18.0.8]:52944 on [172.18.0.4]:22 penalty: exceeded LoginGraceTime
2025-04-11T10:26:20.688798443Z Timeout before authentication for connection from 172.18.0.8 to 172.18.0.4, pid = 4249
2025-04-11T10:27:33.213804692Z drop connection #1 from [172.18.0.8]:52948 on [172.18.0.4]:22 penalty: exceeded LoginGraceTime
2025-04-11T10:28:15.095043988Z Timeout before authentication for connection from 172.18.0.8 to 172.18.0.4, pid = 4250
2025-04-11T10:29:13.283563979Z drop connection #1 from [172.18.0.8]:52952 on [172.18.0.4]:22 penalty: exceeded LoginGraceTime
2025-04-11T10:30:12.126807386Z Timeout before authentication for connection from 172.18.0.8 to 172.18.0.4, pid = 4251
2025-04-11T10:30:51.105629466Z drop connection #0 from [172.18.0.8]:52954 on [172.18.0.4]:22 penalty: exceeded LoginGraceTime
2025-04-11T10:30:53.483504451Z drop connection #0 from [172.18.0.8]:52956 on [172.18.0.4]:22 penalty: exceeded LoginGraceTime
2025-04-11T10:30:57.298266364Z drop connection #0 from [172.18.0.8]:52958 on [172.18.0.4]:22 penalty: exceeded LoginGraceTime
2025-04-11T10:31:05.665168030Z drop connection #0 from [172.18.0.8]:52960 on [172.18.0.4]:22 penalty: exceeded LoginGraceTime

Sometimes it helps to close the bash and reopens it. Sometimes it helps to wait for a couple of minutes until the next push. Always a system restart helps. But only for one push. The next pushes shows the same result.

Git-Log on client:

2025-04-11 12:37:10.438 [info] > git push origin main:main [94ms]
2025-04-11 12:37:10.438 [info] Connection closed by 161.xxx.xxx.xxx port 22
fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository exists.

Gitea Version

1.23.7

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

2.47.2

Operating System

Ubuntu 22.04.3 LTS

How are you running Gitea?

Running Gitea on my self hosted V-Server. OS is Ubuntu 22.04.3 LTS with kernel 5.15.0-25-generic. I'm using traefik as reverse proxy. My docker-compose file:

version: "3"

services:
  server:
    image: gitea/gitea:latest
    container_name: gitea-app
    environment:
      - USER_UID=1000
      - USER_GID=1000
    restart: always
    networks:
      - default
      - proxy
    volumes:
      - gitea-data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    labels:
      # Frontend
      - "traefik.enable=true"
      - "traefik.http.routers.gitea.entrypoints=https"
      - "traefik.http.routers.gitea.rule=Host(`gitea.${TLD}`)"
      - "traefik.http.routers.gitea.tls=true"
      - "traefik.http.routers.gitea.tls.certresolver=http"
      - "traefik.http.routers.gitea.middlewares=default@file"
      - "traefik.http.routers.gitea.service=gitea"
      - "traefik.http.services.gitea.loadbalancer.server.port=3000"
      - "traefik.docker.network=proxy"
      
      # SSH
      - "traefik.tcp.routers.gitea-ssh.entrypoints=git-ssh"
      - "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.gitea-ssh.service=gitea-ssh"
      - "traefik.tcp.services.gitea-ssh.loadbalancer.server.port=22"

  maria-db:
    image: mariadb
    container_name: gitea-db
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: ${POSTGRES_PASSWD}
      MYSQL_USER: gitea
      MYSQL_DATABASE: gitea
      MYSQL_PASSWORD: ${POSTGRES_PASSWD}
    volumes:
      - mariadb-data:/var/lib/mysql
    expose:
      - 8080

networks:
  gitea:
    external: false
  proxy:
    external: true

volumes:
  gitea-data:
    name: gitea-data
  mariadb-data:
    name: gitea-database

Database

MySQL/MariaDB

[lunny]

Looks like a configuration problem.

[TobiZog]

But what kind of error? What should I try? Or do you need more information?

[cmellwig]

@TobiZog I've been running into this as well since a recent update (forgejo 11, don't know the gitea version that relates to). I have a similar traefik and docker setup for it.

Found this PR on forgejo k8s-cluster which I carried over and it solved the issue for me.

For your traefik setup you can bind mount a file like /etc/ssh/sshd_config.d/penalties.conf with the content:

LoginGraceTime 0
PerSourcePenalties no

into the sshd config by adding the include folder (or a single include) via the SSH_INCLUDE_FILE env.

In compose yaml define the folder/config that should be included

    environment:
      - SSH_INCLUDE_FILE=/etc/ssh/sshd_config.d/*.conf