Does `pijul clone` utilizing SSH Certificates work?

zamu · September 29, 2022, 6:39pm

Does pijul support push/pull over SSH to servers that only authenticate via SSH certificates? (Note that this isn’t public key authentication, but SSH CA for clients connecting to the server).

I tested this against two servers with the same repo. One configured with just SSH public key authentication and another with SSH certificate authentication. The former works, while the latter always responds with:

[zamu@local-lan ~]$ RUST_LOG=INFO pijul clone zamu@remote.lan:~/gallery-viewer
[2022-09-29T18:34:58Z INFO thrussh_keys::agent::client] Unsupported key type: Ok("ssh-ed25519-cert-v01@openssh.com")
Password for zamu@remote.lan: 
Error: Not authenticated

pmeunier · September 29, 2022, 7:34pm

This doesn’t work yet, unfortunately. I never heard of that feature in SSH, do you know whether this is in an RFC or OpenSSH-specific?

zamu · September 29, 2022, 9:09pm

Unfortunately I think it’s an OpenSSH feature. But it is widely used in industry for deployments that have large numbers of servers and/or users (eg. Facebook, Uber, Netflix, Intercom, Lyft).

Looking into it, the best place to find official documentation is in OpenSSH’s ssh-keygen man page, under the Certificates section.

All the companies named have write-ups regarding this, but I can only post two links.

Topic		Replies	Views
Problem Cloning via SSH Question	2	682	May 12, 2019
Using pijul on a private server Question	8	1372	September 26, 2017
Cannot push, clone or pull. Keys related problem? [Works with 0.12] Question	0	744	May 15, 2019
Vague error when trying to push to a remote repo Question	1	472	January 11, 2021
How to create a pijul server? Question	2	558	November 3, 2021

Does `pijul clone` utilizing SSH Certificates work?

Related Topics