(“this thread” probably being https://nest.pijul.com/pijul/pijul/discussions/12 or https://twitter.com/helbling_cole/status/1324777474681495553 and following tweets)
Thanks, I edited the original post. I was referring to the tweets. Not enough coffee yet. :-)
Thanks for this report, I just pushed this change to Thrussh.
It turned out Thrussh hadn’t been tested with agents (such as GPG) that sign their messages using SHA1. For some context, RSA can’t sign large messages, it is mostly used to sign hashes, and SHA1 is flawed.
This is fixed now, I just published thrussh-keys 0.18.1.
One of my goals with Thrussh is to avoid outdated crypto as much as possible. Obviously, GPG doesn’t help very much with that.
Can confirm, now it works! I just had to apply the change I submitted at https://nest.pijul.com/pijul/thrussh/discussions/4 for things to build.
Reopening, seems to me that some other problem might have been fixed, but nest.pijul.com still rejects my key.
Thanks for your patience, we’re getting there. I’ll test this soon.
Fixed and tested with gpg-agent and an RSA key. The issue was that since RSA signs only short messages, it usually signs hashes, not direct contents. The key stored in the GPG agent describes a hash algorithm, but then GPG may sign messages with a different hash algorithm.
If you get a chance, please confirm.
Confirmed! I am now able to to use pijul clone
with the nest via ssh. Thank you! :-)
This has been discussed elsewhere, eg. in this thread by @cole-h ( edit: forgot the link: https://twitter.com/helbling_cole/status/1324777474681495553 ) but I figured it would be good to have a tracking issue for it. I’m not sure this is the right place for it though, so please direct me elsewhere if that’s the case. :-)
It appears on the surface as if the ssh server on nest.pijul.com is, for some reason, unable to authenticate users using gpg-agent, or perhaps it’s related to gpg auth subkeys. For instance, I have an RSA subkey that works just fine with my openssh servers, but nest.pijul.com does not acknowledge it.
I’m unsure exactly what kind of debug information you’d like, but here’s a snip for ssh -vvv using that key for nest.pijul.com
And then it moves on to other authentication methods. For contrast, with an openssh server that accepts it: