Does `pijul clone` utilizing SSH Certificates work?

zamu · September 29, 2022, 6:39pm

Does pijul support push/pull over SSH to servers that only authenticate via SSH certificates? (Note that this isn’t public key authentication, but SSH CA for clients connecting to the server).

I tested this against two servers with the same repo. One configured with just SSH public key authentication and another with SSH certificate authentication. The former works, while the latter always responds with:

[zamu@local-lan ~]$ RUST_LOG=INFO pijul clone zamu@remote.lan:~/gallery-viewer
[2022-09-29T18:34:58Z INFO thrussh_keys::agent::client] Unsupported key type: Ok("ssh-ed25519-cert-v01@openssh.com")
Password for zamu@remote.lan: 
Error: Not authenticated

pmeunier · September 29, 2022, 7:34pm

This doesn’t work yet, unfortunately. I never heard of that feature in SSH, do you know whether this is in an RFC or OpenSSH-specific?

zamu · September 29, 2022, 9:09pm

Unfortunately I think it’s an OpenSSH feature. But it is widely used in industry for deployments that have large numbers of servers and/or users (eg. Facebook, Uber, Netflix, Intercom, Lyft).

Looking into it, the best place to find official documentation is in OpenSSH’s ssh-keygen man page, under the Certificates section.

All the companies named have write-ups regarding this, but I can only post two links.

Topic		Replies	Views
Problem Cloning via SSH Question	2	752	May 12, 2019
Using pijul on a private server Question	8	1430	September 26, 2017
How to make ssh/auth work with pijul Question	7	1906	November 29, 2017
Help on SSH in the Nest Question	3	468	November 16, 2020
Connect to nest.pijul.com with ssh Question	6	723	July 3, 2021

Does `pijul clone` utilizing SSH Certificates work?

Related topics