How to make ssh/auth work with pijul


#1

I have created an account and added my public key it.
however trying to push my signing key or push a repo to nest.pijul.com doesn’t work.
I get this error:

pijul push hamiid@nest.pijul.com:firefox-tab
error: ring::error::Unspecified

Even trying to push my key doesn’t work:

pijul keys --upload-to hamiid@nest.pijul.com
error: ring::error::Unspecified

Is there a help/doc/guide somewhere to show to set this up?

Thanks,


#2

Hi! Thanks for reporting this. This is supposed to be fixed when the next version of thrussh-keys comes out, but this is currently blocked by the following PR of mine in *ring*: https://github.com/briansmith/ring/pull/582


#3

Meanwhile, you can generate a special SSH key just for Pijul, using pijul keys --generate-ssh. I know this isn’t optimal.


#4

Thanks for replying.
After I do the the special SSH key, how do I integrate it to pijul’s workflow and nest?


#5

I had trouble myself getting SSH auth to work, though I never ran into the ring errors.

While pijul keys --generate-ssh creates an SSH key in pkcs8 format at ~/.pijulconfig/id_ed25519.pkcs8, I couldn’t figure out how to convert/extract a public key suitable for adding to my profile on the nest.

Here’s the steps I took to get SSH auth working if the --generate-ssh method doesn’t work for you.

  1. Generate an ed25519 SSH key in ~/.ssh/id_ed25119 in PEM format that isn’t password protected. (updated to correct command)
$ # ssh-keygen -t ed25519 -f ~/.ssh/id_ed25119.der
$ # ssh-keygen -f ~/.ssh/id_ed25519.der -e -m pem > ~/.ssh/id_ed25519
$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25119
  1. Copy the public key ~/.ssh/id_ed25119.pub to your nest profile.

  2. Profit

I never tested to see if pijul could load the DER file format, so the PEM conversion may not be necessary, but the final key must be ~/.ssh/id_ed25519.

I also built pijul from the latest source. Dunno if you need to do the same or not. I can provide pointers there if needed.

I used ed25119 because pijul was reporting errors with the RSA key I made. Though, after looking at pijul’s code, I suspect it wanted both the public and private keys, and I had my RSA pubkey outside ~/.ssh.


#6

What version of ssh-keygen you are using? I am getting do_convert_to_pem: unsupported key type ED25519

(tried on macOS, OpenSSH_7.6p1, and Debian OpenSSH_6.7p1)


#7

I got it to work without the conversion!
So just created an ed25519 key pair and made sure as you said the naming was id_ed25529
Uploaded the public to nest, and after initial push I got

The authenticity of host "nest.pijul.com":22 cannot be established.

followed by pushing the commits.


#8

You’re right. I’m using openssh 7.6p1 and forgot about the unsupported key type. The conversion wasn’t necessary as you found. Sorry about that.

The authenticity of host “nest.pijul.com”:22 cannot be established.

Not sure why you ran into that, but pretty sure it means your client wasn’t able to fingerprint the server’s SSH key, or at least recognize the fingerprint. This is done so that the next time you SSH into the server, your client can verify whether it connected to the same host or a different host.

I may have seen that message appear once after pmeunier migrated the nest to another server, but I don’t recall the exact message I saw and it hasn’t happened since.

Congrats on getting SSH auth working. :slight_smile: