Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Interoperability with gpg-agent (YubiKey) #10454

Closed
cyberduck opened this issue Sep 7, 2018 · 10 comments · Fixed by #12710
Closed

Interoperability with gpg-agent (YubiKey) #10454

cyberduck opened this issue Sep 7, 2018 · 10 comments · Fixed by #12710
Assignees
Labels
enhancement sftp SFTP Protocol Implementation worksforme
Milestone

Comments

@cyberduck
Copy link
Collaborator

03b55c6 created the issue

Cyberduck is great, but I cannot use it anymore, since I switched to using a YubiKey to store my SSH private key.

The reason is simply the requirement to select a private key file when opening a connection.
Note: I can connect using SSH on the command-line, using ForkLift, SourceTree, … just fine. They all just use the identity agent I have configured…

Since this blocks me from using Cyberduck, I consider this a defect…

@cyberduck
Copy link
Collaborator Author

@dkocher commented

From my understanding you configure YubiKey to be used as a one-time passcode with the SSH server. We have instructions on how this works with Google Authenticator but I assume this should work similar if configured using ChallengeResponseAuthentication in OpenSSH. Otherwise, please elaborate on the setup.

@cyberduck
Copy link
Collaborator Author

03b55c6 commented

No, I am not using the YubiKey as a 2FA token. I use it as a hardware token, it stores my RSA keys. My SSH is set up to talk to gpg-agent, which is running as gpg-agent --daemon --enable-ssh-support. The result is, that by now most tools that can use my native SSH setup work fine, with the help of IdentityAgent ~/.gnupg/S.gpg-agent.ssh in my ~/.ssh/config.

With "SSH Private Key" set to "None" for the connection, it asks me for a password… But when trying to enable the use of a private key, Cyberduck forces me to select a private key file–I don't have a file, though, the private key is hidden in my YubiKey.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

We do not currently read IdentityAgent from OpenSSH configuration ~/.ssh/config. But if the SSH_AUTH_SOCK environment variable is pointing to the GPG agent socket it should work.

@cyberduck
Copy link
Collaborator Author

@cyberduck
Copy link
Collaborator Author

03b55c6 commented

Indeed, with SSH_AUTH_SOCK set (which it was already for me) and Cyberduck being started from the command line (I didn't try that, it seems), it works as expected. That's at least something!

@cyberduck
Copy link
Collaborator Author

@dkocher commented

     IdentityAgent
             Specifies the UNIX-domain socket used to communicate with the authentication agent.

             This option overrides the SSH_AUTH_SOCK environment variable and can be used to select a specific agent.  Setting the socket name to none disables the use of an authentication agent.  If the string
             "SSH_AUTH_SOCK" is specified, the location of the socket will be read from the SSH_AUTH_SOCK environment variable.


@cyberduck
Copy link
Collaborator Author

@dkocher commented

It would be nice if we have a user friendly configuration option that does not require to open the application from the command line.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

#10800 closed as duplicate.

@cyberduck
Copy link
Collaborator Author

96851d2 commented

For your information:

There is a solution to this bug, you can create a plist to make Cyberduck accept $AUTH_SSH_SOCK when opened from the dock.

Instructions are here: https://evilmartians.com/chronicles/stick-with-security-yubikey-ssh-gnupg-macos

Unfortunatly it only works up until 7.0.2, see #10800

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
@dkocher
Copy link
Contributor

dkocher commented Dec 23, 2021

Reopening to add support for IdentityAgent in OpenSSH configuration.

@dkocher dkocher reopened this Dec 23, 2021
@dkocher dkocher modified the milestones: 7.1.1, 8.2.1 Dec 23, 2021
@dkocher dkocher modified the milestones: 8.2.1, 9.0 Jan 11, 2022
@AliveDevil AliveDevil modified the milestones: 9.0, 8.2.2 May 4, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement sftp SFTP Protocol Implementation worksforme
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants