Cyberduck Mountain Duck CLI

#10454 closed enhancement (worksforme)

Interoperability with gpg-agent (YubiKey)

Reported by: kdambekalns Owned by: dkocher
Priority: normal Milestone: 7.1.1
Component: sftp Version: 6.7.1
Severity: normal Keywords: ssh, yubikey, agent
Cc: Architecture: Intel
Platform: macOS 10.13

Description (last modified by kdambekalns)

Cyberduck is great, but I cannot use it anymore, since I switched to using a YubiKey to store my SSH private key.

The reason is simply the requirement to select a private key file when opening a connection.

Note: I can connect using SSH on the command-line, using ForkLift, SourceTree, … just fine. They all just use the identity agent I have configured…

Since this blocks me from using Cyberduck, I consider this a defect…

Change History (15)

comment:1 Changed on Sep 11, 2018 at 12:48:39 PM by dkocher

  • Component changed from core to sftp
  • Owner set to dkocher
  • Type changed from defect to enhancement

From my understanding you configure YubiKey to be used as a one-time passcode with the SSH server. We have instructions on how this works with Google Authenticator but I assume this should work similar if configured using ChallengeResponseAuthentication in OpenSSH. Otherwise, please elaborate on the setup.

comment:2 Changed on Sep 11, 2018 at 12:49:07 PM by dkocher

  • Summary changed from Allow SSH connections without private key *file* to Interoperability with YubiKey 2FA

comment:3 Changed on Sep 11, 2018 at 2:45:49 PM by kdambekalns

  • Description modified (diff)

comment:4 Changed on Sep 11, 2018 at 3:01:44 PM by kdambekalns

No, I am not using the YubiKey as a 2FA token. I use it as a hardware token, it stores my RSA keys. My SSH is set up to talk to gpg-agent, which is running as gpg-agent --daemon --enable-ssh-support. The result is, that by now most tools that can use my native SSH setup work fine, with the help of IdentityAgent ~/.gnupg/S.gpg-agent.ssh in my ~/.ssh/config.

With "SSH Private Key" set to "None" for the connection, it asks me for a password… But when trying to enable the use of a private key, Cyberduck forces me to select a private key file–I don't have a file, though, the private key is hidden in my YubiKey.

comment:5 Changed on Sep 11, 2018 at 5:34:11 PM by dkocher

  • Summary changed from Interoperability with YubiKey 2FA to Interoperability with gpg-agent (YubiKey)

comment:6 Changed on Sep 11, 2018 at 6:43:03 PM by dkocher

We do not currently read IdentityAgent from OpenSSH configuration ~/.ssh/config. But if the SSH_AUTH_SOCK environment variable is pointing to the GPG agent socket it should work.

comment:8 Changed on Sep 12, 2018 at 6:45:25 AM by kdambekalns

Indeed, with SSH_AUTH_SOCK set (which it was already for me) and Cyberduck being started from the command line (I didn't try that, it seems), it works as expected. That's at least something!

comment:9 Changed on Sep 14, 2018 at 8:59:34 PM by dkocher

  • Milestone set to 7.0
  • Status changed from new to assigned

comment:10 Changed on Sep 14, 2018 at 9:00:10 PM by dkocher

     IdentityAgent
             Specifies the UNIX-domain socket used to communicate with the authentication agent.

             This option overrides the SSH_AUTH_SOCK environment variable and can be used to select a specific agent.  Setting the socket name to none disables the use of an authentication agent.  If the string
             "SSH_AUTH_SOCK" is specified, the location of the socket will be read from the SSH_AUTH_SOCK environment variable.


comment:11 Changed on Nov 20, 2018 at 9:44:45 AM by dkocher

  • Resolution set to worksforme
  • Status changed from assigned to closed

comment:12 Changed on Jul 25, 2019 at 8:29:23 PM by dkocher

  • Milestone 7.0 deleted
  • Resolution worksforme deleted
  • Severity changed from blocker to normal
  • Status changed from closed to reopened

It would be nice if we have a user friendly configuration option that does not require to open the application from the command line.

comment:13 Changed on Sep 13, 2019 at 7:01:56 AM by dkocher

  • Milestone set to 8.0

#10800 closed as duplicate.

comment:14 Changed on Sep 13, 2019 at 9:21:16 AM by achim

For your information:

There is a solution to this bug, you can create a plist to make Cyberduck accept $AUTH_SSH_SOCK when opened from the dock.

Instructions are here: https://evilmartians.com/chronicles/stick-with-security-yubikey-ssh-gnupg-macos

Unfortunatly it only works up until 7.0.2, see #10800

comment:15 Changed on Sep 20, 2019 at 9:20:58 AM by dkocher

  • Milestone changed from 8.0 to 7.1.1
  • Resolution set to worksforme
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.
swiss made software