blank line.

Copyright head

```go if asymkey_model.IsErrKeyNotExist(err) { } else if err != nil ```

We don't need this check now because every route has owned auth group.

https://github.com/go-ap/httpsig look more maintained

Generally better to put the header keys in Canonical form. ```suggestion if len(req.Header.Get("X-Ssh-Certificate")) != 0 { ```

```suggestion log.Debug("VerifyPubKey on request from %s: failed: %v", req.RemoteAddr, err) log.Warn("Failed authentication attempt from %s", req.RemoteAddr) ```

```suggestion log.Debug("VerifyCert on request from %s: failed: %v", req.RemoteAddr, err) log.Warn("Failed authentication attempt from %s", req.RemoteAddr) ```

```suggestion log.Debug("Failed authentication attempt from %s: VerifyCert failed: %v", req.RemoteAddr, err) ```

There are other algorithms for ssh-rsa... We should be checking against rsa-sha2-256 and rsa-sha2-512 too. RSA_SHA1 is dying as it's likely broken.

Needs a comment. Perhaps something like below? ```suggestion // doVerify iterates across the provided public keys attempting the verify the current request against each key in turn func doVerify(verifier httpsig.Verifier, publickeys []ssh.PublicKey) error { ```

Marshal `auth` once and once only. Do not repeatedly run `auth.Marshal()`. (I've just noticed that modules/ssh/ssh.go does the same thing - can we change it there too?) ```suggestion IsUserAuthority: func(auth ssh.PublicKey) bool { marshaled := auth.Marshal() for _, k := range setting.SSH.TrustedUserCAKeysParsed { if bytes.Equal(marshaled, k.Marshal()) { return true } } return false }, ```

break?

Move this to line 106

```suggestion cert, ok := pk.(*ssh.Certificate) if !ok { return validpk, fmt.Errorf("no certificate found") } ```

blank line is needed.

Line 86 uses "x-ssh-certificate". Are you sure that this shouldn't also be "X-SSH-Certificate" too?

why need two logs?

return err