Context Navigation

← Previous Ticket
Next Ticket →

Opened on Sep 7, 2018 at 8:30:00 AM

Closed on Sep 20, 2019 at 9:20:58 AM

#10454 closed enhancement (worksforme)

Interoperability with gpg-agent (YubiKey)

Reported by:	kdambekalns	Owned by:	dkocher
Priority:	normal	Milestone:	7.1.1
Component:	sftp	Version:	6.7.1
Severity:	normal	Keywords:	ssh, yubikey, agent
Cc:		Architecture:	Intel
Platform:	macOS 10.13

Description (last modified by kdambekalns)

Cyberduck is great, but I cannot use it anymore, since I switched to using a YubiKey to store my SSH private key.

The reason is simply the requirement to select a private key file when opening a connection.

Note: I can connect using SSH on the command-line, using ForkLift, SourceTree, … just fine. They all just use the identity agent I have configured…

Since this blocks me from using Cyberduck, I consider this a defect…

Change History (15)

comment:1 Changed on Sep 11, 2018 at 12:48:39 PM by dkocher

Component changed from core to sftp
Owner set to dkocher
Type changed from defect to enhancement

From my understanding you configure YubiKey to be used as a one-time passcode with the SSH server. We have instructions on how this works with Google Authenticator but I assume this should work similar if configured using ChallengeResponseAuthentication in OpenSSH. Otherwise, please elaborate on the setup.

comment:2 Changed on Sep 11, 2018 at 12:49:07 PM by dkocher

Summary changed from Allow SSH connections without private key *file* to Interoperability with YubiKey 2FA

comment:3 Changed on Sep 11, 2018 at 2:45:49 PM by kdambekalns

Description modified (diff)

comment:4 Changed on Sep 11, 2018 at 3:01:44 PM by kdambekalns

No, I am not using the YubiKey as a 2FA token. I use it as a hardware token, it stores my RSA keys. My SSH is set up to talk to gpg-agent, which is running as gpg-agent --daemon --enable-ssh-support. The result is, that by now most tools that can use my native SSH setup work fine, with the help of IdentityAgent ~/.gnupg/S.gpg-agent.ssh in my ~/.ssh/config.

With "SSH Private Key" set to "None" for the connection, it asks me for a password… But when trying to enable the use of a private key, Cyberduck forces me to select a private key file–I don't have a file, though, the private key is hidden in my YubiKey.

comment:5 Changed on Sep 11, 2018 at 5:34:11 PM by dkocher

Summary changed from Interoperability with YubiKey 2FA to Interoperability with gpg-agent (YubiKey)

comment:6 Changed on Sep 11, 2018 at 6:43:03 PM by dkocher

We do not currently read IdentityAgent from OpenSSH configuration ~/.ssh/config. But if the SSH_AUTH_SOCK environment variable is pointing to the GPG agent socket it should work.

comment:7 Changed on Sep 11, 2018 at 6:49:37 PM by dkocher

References

comment:8 Changed on Sep 12, 2018 at 6:45:25 AM by kdambekalns

Indeed, with SSH_AUTH_SOCK set (which it was already for me) and Cyberduck being started from the command line (I didn't try that, it seems), it works as expected. That's at least something!

comment:9 Changed on Sep 14, 2018 at 8:59:34 PM by dkocher

Milestone set to 7.0
Status changed from new to assigned

comment:10 Changed on Sep 14, 2018 at 9:00:10 PM by dkocher

     IdentityAgent
             Specifies the UNIX-domain socket used to communicate with the authentication agent.

             This option overrides the SSH_AUTH_SOCK environment variable and can be used to select a specific agent.  Setting the socket name to none disables the use of an authentication agent.  If the string
             "SSH_AUTH_SOCK" is specified, the location of the socket will be read from the SSH_AUTH_SOCK environment variable.