Opened on Sep 7, 2018 at 8:30:00 AM
#10454 closed enhancement (worksforme)
Interoperability with gpg-agent (YubiKey)
Reported by: | kdambekalns | Owned by: | dkocher |
---|---|---|---|
Priority: | normal | Milestone: | 7.1.1 |
Component: | sftp | Version: | 6.7.1 |
Severity: | normal | Keywords: | ssh, yubikey, agent |
Cc: | Architecture: | Intel | |
Platform: | macOS 10.13 |
Description (last modified by kdambekalns)
Cyberduck is great, but I cannot use it anymore, since I switched to using a YubiKey to store my SSH private key.
The reason is simply the requirement to select a private key file when opening a connection.
Note: I can connect using SSH on the command-line, using ForkLift, SourceTree, … just fine. They all just use the identity agent I have configured…
Since this blocks me from using Cyberduck, I consider this a defect…
Change History (15)
comment:1 Changed on Sep 11, 2018 at 12:48:39 PM by dkocher
- Component changed from core to sftp
- Owner set to dkocher
- Type changed from defect to enhancement
comment:2 Changed on Sep 11, 2018 at 12:49:07 PM by dkocher
- Summary changed from Allow SSH connections without private key *file* to Interoperability with YubiKey 2FA
comment:3 Changed on Sep 11, 2018 at 2:45:49 PM by kdambekalns
- Description modified (diff)
comment:4 Changed on Sep 11, 2018 at 3:01:44 PM by kdambekalns
No, I am not using the YubiKey as a 2FA token. I use it as a hardware token, it stores my RSA keys. My SSH is set up to talk to gpg-agent, which is running as gpg-agent --daemon --enable-ssh-support. The result is, that by now most tools that can use my native SSH setup work fine, with the help of IdentityAgent ~/.gnupg/S.gpg-agent.ssh in my ~/.ssh/config.
With "SSH Private Key" set to "None" for the connection, it asks me for a password… But when trying to enable the use of a private key, Cyberduck forces me to select a private key file–I don't have a file, though, the private key is hidden in my YubiKey.
comment:5 Changed on Sep 11, 2018 at 5:34:11 PM by dkocher
- Summary changed from Interoperability with YubiKey 2FA to Interoperability with gpg-agent (YubiKey)
comment:6 Changed on Sep 11, 2018 at 6:43:03 PM by dkocher
We do not currently read IdentityAgent from OpenSSH configuration ~/.ssh/config. But if the SSH_AUTH_SOCK environment variable is pointing to the GPG agent socket it should work.
comment:7 Changed on Sep 11, 2018 at 6:49:37 PM by dkocher
comment:8 Changed on Sep 12, 2018 at 6:45:25 AM by kdambekalns
Indeed, with SSH_AUTH_SOCK set (which it was already for me) and Cyberduck being started from the command line (I didn't try that, it seems), it works as expected. That's at least something!
comment:9 Changed on Sep 14, 2018 at 8:59:34 PM by dkocher
- Milestone set to 7.0
- Status changed from new to assigned
comment:10 Changed on Sep 14, 2018 at 9:00:10 PM by dkocher
IdentityAgent Specifies the UNIX-domain socket used to communicate with the authentication agent. This option overrides the SSH_AUTH_SOCK environment variable and can be used to select a specific agent. Setting the socket name to none disables the use of an authentication agent. If the string "SSH_AUTH_SOCK" is specified, the location of the socket will be read from the SSH_AUTH_SOCK environment variable.
comment:11 Changed on Nov 20, 2018 at 9:44:45 AM by dkocher
- Resolution set to worksforme
- Status changed from assigned to closed
comment:12 Changed on Jul 25, 2019 at 8:29:23 PM by dkocher
- Milestone 7.0 deleted
- Resolution worksforme deleted
- Severity changed from blocker to normal
- Status changed from closed to reopened
It would be nice if we have a user friendly configuration option that does not require to open the application from the command line.
comment:13 Changed on Sep 13, 2019 at 7:01:56 AM by dkocher
- Milestone set to 8.0
#10800 closed as duplicate.
comment:14 Changed on Sep 13, 2019 at 9:21:16 AM by achim
For your information:
There is a solution to this bug, you can create a plist to make Cyberduck accept $AUTH_SSH_SOCK when opened from the dock.
Instructions are here: https://evilmartians.com/chronicles/stick-with-security-yubikey-ssh-gnupg-macos
Unfortunatly it only works up until 7.0.2, see #10800
comment:15 Changed on Sep 20, 2019 at 9:20:58 AM by dkocher
- Milestone changed from 8.0 to 7.1.1
- Resolution set to worksforme
- Status changed from reopened to closed
From my understanding you configure YubiKey to be used as a one-time passcode with the SSH server. We have instructions on how this works with Google Authenticator but I assume this should work similar if configured using ChallengeResponseAuthentication in OpenSSH. Otherwise, please elaborate on the setup.