I'm using OpenSSH_8.4p1 as my SSH client and set up plan9port's
ssh-agent to pull keys from factotum. I was able to follow rsa(1)
for the most part, with a few exceptions:
For converting an existing key, openssh now uses its own format for
the private key that `asn12rsa` doesn't understand. You have to tell
openssh to use the old format, like so:
ssh_keygen -m PEM
To get a public key suitable for my use case (github) I had to pass the
`-2` flag to rsa2ssh. For example:
rsagen -t 'service=ssh-rsa' | tee -a factotum | rsa2ssh -2 > id_rsa.pub
This seems to go against the documentation, which states
> It decides whether to print in version 1 or version 2 format by
> inspecting the service attribute.
Finally, OpenSSH complains about the ssh-agent signature:
> agent key RSA SHA256:xxxxxxx returned incorrect signature type
SSH access still succeeds, however. I haven't debugged this yet, but I
believe what is happening is that the ssh client is passing a signature
flag to the ssh-agent asking for the stronger hash:
https://tools.ietf.org/id/draft-miller-ssh-agent-01.html#rfc.section.5.3
but the agent ignores it and uses a sha1 hash. Is there a sha256 routine
in plan9port? I looked, but could not find one. I was able to find one
in 9front. Is anyone working on updating libsec? I see issue #448:
https://github.com/9fans/plan9port/issues/448
If I have some spare cycles I can try to work on this, but I'd like some
feedback on the best way to do it. Ideally I would like to reduce the
diffs between plan9port and plan 9, but the various plan 9 flavors may
already be diverging.
David