From 0dd56f8a630c8c6753be81008216a71aa2f4a07d Mon Sep 17 00:00:00 2001
From: dovholuknf <46322585+dovholuknf@users.noreply.github.com>
Date: Tue, 10 Sep 2024 12:01:15 -0400
Subject: [PATCH] attempt to be helpful. test if the key provided to ssh is a
 pubkey and if oidc only add jwt as primary AND secondary creds

---
 zsshlib/authenticate.go | 1 +
 zsshlib/ssh.go          | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/zsshlib/authenticate.go b/zsshlib/authenticate.go
index 24749fb..1411bd8 100644
--- a/zsshlib/authenticate.go
+++ b/zsshlib/authenticate.go
@@ -51,6 +51,7 @@ func NewContext(flags *SshFlags, enableMfaListener bool) ziti.Context {
 			ZtAPI:       ozController + "/edge/client/v1",
 			Credentials: credentials,
 		}
+		credentials.AddJWT(oidcToken) // satisfy the ext-jwt-auth primary + secondary
 		cfg.ConfigTypes = append(cfg.ConfigTypes, "all")
 
 		c, ctxErr := ziti.NewContext(cfg)
diff --git a/zsshlib/ssh.go b/zsshlib/ssh.go
index e3ae105..45db13a 100644
--- a/zsshlib/ssh.go
+++ b/zsshlib/ssh.go
@@ -305,6 +305,10 @@ func sshAuthMethodFromFile(keyPath string) (ssh.AuthMethod, error) {
 	if err != nil {
 		return nil, fmt.Errorf("could not read zssh file [%s]: %w", keyPath, err)
 	}
+	_, _, _, _, pubkeyErr := ssh.ParseAuthorizedKey(content)
+	if pubkeyErr == nil {
+		log.Fatal("the provided key for ssh authentication is a public key, but a private key is required")
+	}
 
 	if signer, err := ssh.ParsePrivateKey(content); err == nil {
 		return ssh.PublicKeys(signer), nil