This has been discussed elsewhere, eg. in this thread by @cole-h ( edit: forgot the link: https://twitter.com/helbling_cole/status/1324777474681495553 ) but I figured it would be good to have a tracking issue for it. I’m not sure this is the right place for it though, so please direct me elsewhere if that’s the case. :-)

It appears on the surface as if the ssh server on nest.pijul.com is, for some reason, unable to authenticate users using gpg-agent, or perhaps it’s related to gpg auth subkeys. For instance, I have an RSA subkey that works just fine with my openssh servers, but nest.pijul.com does not acknowledge it.

I’m unsure exactly what kind of debug information you’d like, but here’s a snip for ssh -vvv using that key for nest.pijul.com

debug1: Offering public key: /home/sarah/.ssh/69A6DCEE0E0C396E497BBF1B4E944A37D6E0A01A.pub RSA SHA256:WjYm2QzkdUZkLvS41OMa0zpNOy/g5UhHnHwsO9Qw0lE explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51

And then it moves on to other authentication methods. For contrast, with an openssh server that accepts it:

debug1: Offering public key: /home/sarah/.ssh/69A6DCEE0E0C396E497BBF1B4E944A37D6E0A01A.pub RSA SHA256:WjYm2QzkdUZkLvS41OMa0zpNOy/g5UhHnHwsO9Qw0lE explicit agent
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: /home/sarah/.ssh/69A6DCEE0E0C396E497BBF1B4E944A37D6E0A01A.pub RSA SHA256:WjYm2QzkdUZkLvS41OMa0zpNOy/g5UhHnHwsO9Qw0lE explicit agent
debug3: sign_and_send_pubkey: RSA SHA256:WjYm2QzkdUZkLvS41OMa0zpNOy/g5UhHnHwsO9Qw0lE
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:WjYm2QzkdUZkLvS41OMa0zpNOy/g5UhHnHwsO9Qw0lE

(“this thread” probably being https://nest.pijul.com/pijul/pijul/discussions/12 or https://twitter.com/helbling_cole/status/1324777474681495553 and following tweets)

Thanks, I edited the original post. I was referring to the tweets. Not enough coffee yet. :-)

Thanks for this report, I just pushed this change to Thrussh.

It turned out Thrussh hadn’t been tested with agents (such as GPG) that sign their messages using SHA1. For some context, RSA can’t sign large messages, it is mostly used to sign hashes, and SHA1 is flawed.

This is fixed now, I just published thrussh-keys 0.18.1.

One of my goals with Thrussh is to avoid outdated crypto as much as possible. Obviously, GPG doesn’t help very much with that.

Can confirm, now it works! I just had to apply the change I submitted at https://nest.pijul.com/pijul/thrussh/discussions/4 for things to build.

Odd, still no luck here. @cole-h what did you do to make it work? I have a pijul built against thrussh-keys 1.18.2, but the nest still doesn’t care much for me.

Reopening, seems to me that some other problem might have been fixed, but nest.pijul.com still rejects my key.

Thanks for your patience, we’re getting there. I’ll test this soon.

Fixed and tested with gpg-agent and an RSA key. The issue was that since RSA signs only short messages, it usually signs hashes, not direct contents. The key stored in the GPG agent describes a hash algorithm, but then GPG may sign messages with a different hash algorithm.

If you get a chance, please confirm.

Confirmed! I am now able to to use pijul clone with the nest via ssh. Thank you! :-)