Does `pijul clone` utilizing SSH Certificates work?

Does pijul support push/pull over SSH to servers that only authenticate via SSH certificates? (Note that this isn’t public key authentication, but SSH CA for clients connecting to the server).

I tested this against two servers with the same repo. One configured with just SSH public key authentication and another with SSH certificate authentication. The former works, while the latter always responds with:

[zamu@local-lan ~]$ RUST_LOG=INFO pijul clone zamu@remote.lan:~/gallery-viewer
[2022-09-29T18:34:58Z INFO thrussh_keys::agent::client] Unsupported key type: Ok("")
Password for zamu@remote.lan: 
Error: Not authenticated

This doesn’t work yet, unfortunately. I never heard of that feature in SSH, do you know whether this is in an RFC or OpenSSH-specific?

Unfortunately I think it’s an OpenSSH feature. But it is widely used in industry for deployments that have large numbers of servers and/or users (eg. Facebook, Uber, Netflix, Intercom, Lyft).

Looking into it, the best place to find official documentation is in OpenSSH’s ssh-keygen man page, under the Certificates section.

All the companies named have write-ups regarding this, but I can only post two links.