Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SecurID #4459

Closed
cyberduck opened this issue May 9, 2010 · 29 comments
Closed

SecurID #4459

cyberduck opened this issue May 9, 2010 · 29 comments
Assignees
Labels
enhancement fixed sftp SFTP Protocol Implementation
Milestone

Comments

@cyberduck
Copy link
Collaborator

8c1c6c1 created the issue

Hi,
Would it be possible to support access to servers that need an authentification key/passcode that is generated by a dongle? I am using an RSA SecurID generator.
Thanks!

@cyberduck
Copy link
Collaborator Author

anonymous commented

I'm looking for this feature as well. WinSCP supports this but is not available for OSX. I have yet to find a solution.

@cyberduck
Copy link
Collaborator Author

@ylangisc commented

Challenge-Response authentication schemes like SecurID should already be supported. Due to the lack of a SecurID infrastructure this feature is completely untested though. While authenticating I would expect a login popup where you can enter the current SecurID code.

In order to properly implement this feature we are dependent on your help. Could you please try to connect to a SecureID enabled server and let me know what happened.

@cyberduck
Copy link
Collaborator Author

8c1c6c1 commented

I enter my username and password, but no login popup for the SecurID code occurs. Unfortunately, I have no clue on where the problem is located.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Replying to [comment:3 fmueller@…]:

I enter my username and password, but no login popup for the SecurID code occurs. Unfortunately, I have no clue on where the problem is located.
This sounds like we would need to support authentication with username and password followed by the keyboard-interactive authentication for the SecurID. Such a scenario is not currently supported as the authentication schemes are implemented mutually exclusive. It is however possible to ask for remaining authentication methods and if the authentication is complete for a SSH session which is what we should do.

@cyberduck
Copy link
Collaborator Author

@ylangisc commented

How is the password like you are entering? Normally SecurID-based authentication requires you to enter the so-called passcode (=PIN + Tokencode (concatenate both)). Please try to enter this passcode into the password field. In a SSH environment the authentication process might be different though but it's worth a try.

@cyberduck
Copy link
Collaborator Author

8c1c6c1 commented

usually, if I log in via ssh on a shell I connect with:
ssh USERNAME@SERVER
Then I am asked for my passWORD (some character-number-string) which I enter. Subsequently I am asked for the passCODE (which is a generated 6 digit number). The expected behavior of Cyberduck would be that I enter my username and password and subsequently a window pops up where I enter my passCODE.
I tried entering either the password or passcode or concatenate the two in the authentication window of cyberduck but none of these options worked

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Proposed fix in 4f87653. Please test with the nightly build to be made available shortly.

@cyberduck
Copy link
Collaborator Author

@ylangisc commented

Nightly build is ready.

@cyberduck
Copy link
Collaborator Author

anonymous commented

I tried the nightly builds 5961 and 5692. Still no popup-window.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Replying to [comment:9 anonymous]:

I tried the nightly builds 5961 and 5692. Still no popup-window.
Is that server publicly reachable to let us debug the issue?

@cyberduck
Copy link
Collaborator Author

anonymous commented

well the server is called odyssey.fas.harvard.edu.
I cannot give out a username or password of course, but if you try to login as any user it should ask you for a password and later for a token/passcode, too. You just cannot get onto the server.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Replying to [comment:11 anonymous]:

well the server is called odyssey.fas.harvard.edu.
I cannot give out a username or password of course, but if you try to login as any user it should ask you for a password and later for a token/passcode, too. You just cannot get onto the server.

I don't get a partial authentication success with arbitrary credentials, so this does not help with testing. I have made another change in c8e8547 which might make it work, tough.

@cyberduck
Copy link
Collaborator Author

@ylangisc commented

A new nightly build with c8e8547 is ready.

@cyberduck
Copy link
Collaborator Author

@ylangisc commented

Client-side command line transcript:

...
debug1: Authentications that can continue: password,keyboard-interactive
debug3: start over, passed a different list password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password: 
debug3: packet_send2: adding 32 (len 17 padlen 15 extra_pad 64)
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Enter PASSCODE:
debug3: packet_send2: adding 32 (len 15 padlen 17 extra_pad 64)
debug1: Authentications that can continue: password,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password: 
...

@cyberduck
Copy link
Collaborator Author

8c1c6c1 commented

Nightly Build 5970 does not fix the problem for me. are the changes you just posted already implemented in this version?

@cyberduck
Copy link
Collaborator Author

anonymous commented

Wow, you guys are fast. I get the SecureID popup. I can authenticate but the problem is that the session is not cached, so after 60 seconds the key expires and I must re-authenticate (a new SecurID popup appears) and I have to continually enter a new authentication key.

If I use winSCP on windows, or just standard SSH via the terminal, I only have to enter the SecurID once.

@cyberduck
Copy link
Collaborator Author

caldazar commented

I'm just going to detail my findings, I'll start using my username so my posts don't clash with the other anonymous posters who may have different setups.

I can authenticate with SecurID using the current stable version of Cyberduck - version 3.4.2 (5902).

My setup with SecurID, means I connect to the server using ssh -l [username] [host] and then the server responds requesting PASSCODE. Cyberduck thinks this request is for the password so I can enter my SecurID and authenticate.

I mentioned in a post above that I need to authenticate every 60 seconds once my SecurID had expired. I've found this to be wrong. Upon testing, the connection works fine - navigating folders works etc. Problems occur when I attempt to transfer a file. Upon transferring a file, Cyberduck appears to attempt to reauthenticate to start the file transfer process. This means I need to enter a new SecurID everytime a file is opened or transferred, which makes the process unusable as I work with many files each session.

@cyberduck
Copy link
Collaborator Author

caldazar commented

Ok, I've solved my issue - SecurID works fine now, as long as I keep my Preferences -> Transfers -> Transfer Files set to only Use Browser Connection.

A simple solution, wish I'd seen it before. Hopefully this helps others though.

@cyberduck
Copy link
Collaborator Author

@ylangisc commented

Replying to [comment:15 fmueller@…]:

Nightly Build 5970 does not fix the problem for me. are the changes you just posted already implemented in this version?
Tried to fix behavior according command-line transcript in 5443db5. Can you please try the new nightly build (5971). Please note that the prompt sheet lacks of clarity yet. In the sheet you should see the prompt text 'Enter PASSCODE' somewhere though. The username is not taken into account in the callback prompt.

@cyberduck
Copy link
Collaborator Author

anonymous commented

ok, now upon entering my username and password, I get a popup window that asks me for my username and password. In the infotext the serverprompt PASSCODE appears. I entered username and the current token from my generator and received a 0 error. If I only enter the token, nothing happens except for an accoustic signal.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Replying to [comment:20 anonymous]:

ok, now upon entering my username and password, I get a popup window that asks me for my username and password. In the infotext the serverprompt PASSCODE appears. I entered username and the current token from my generator and received a 0 error. If I only enter the token, nothing happens except for an accoustic signal.

That has been fixed as of 636bdb9.

@cyberduck
Copy link
Collaborator Author

8c1c6c1 commented

could you upload a nightly build for this version, please?

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Replying to [comment:18 caldazar]:

Ok, I've solved my issue - SecurID works fine now, as long as I keep my Preferences -> Transfers -> Transfer Files set to only Use Browser Connection.

A simple solution, wish I'd seen it before. Hopefully this helps others though.

Thanks for your comment! This is to be expected when the transfer is initiated using a new session in the Transfers window because a new SSH session is initiated. The workaround is as you describe to use the browser connection already open, altough that will limit you from browsing until the transfer has finished.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

A new nightly build will be available within a few hours.

@cyberduck
Copy link
Collaborator Author

@ylangisc commented

A new nightly build is now available.

@cyberduck
Copy link
Collaborator Author

8c1c6c1 commented

Thank you so much! It works! I just have one improvement suggestion: So far, I have to enter my username again when I enter the token (after I have already entered username and password). would it be possible to store the username for the token query?

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Replying to [comment:26 fmueller@…]:

Thank you so much! It works! I just have one improvement suggestion: So far, I have to enter my username again when I enter the token (after I have already entered username and password). would it be possible to store the username for the token query?

In 7e52e48.

@cyberduck
Copy link
Collaborator Author

75ff539 commented

Hi,
I cannot get this working on #6205 even though I'd use it for the exact same server as fmueller@... did. Of course, many things might go wrong with my SSH configuration or anything else, but I could not find more detailed instructions how I should I use this feature.

My problem is that I am prompted for my password when trying to open a connection, I guess, but the dialog box already says something about my passcode at the first time -- but that should still be for my password only! If I give it the password, the passcode, or even both concatenated, there is no new dialog box, but no connection open either (a green dot next to the connection among my bookmarks, but no connection open).

Could you help me track this down? Has anything changed in 3.6 since fmueller@... could get it working? I doubt that.

Thanks!

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Replying to [comment:28 SandorL]:

Hi,
I cannot get this working on #6205 even though I'd use it for the exact same server as fmueller@... did. Of course, many things might go wrong with my SSH configuration or anything else, but I could not find more detailed instructions how I should I use this feature.

My problem is that I am prompted for my password when trying to open a connection, I guess, but the dialog box already says something about my passcode at the first time -- but that should still be for my password only! If I give it the password, the passcode, or even both concatenated, there is no new dialog box, but no connection open either (a green dot next to the connection among my bookmarks, but no connection open).

Could you help me track this down? Has anything changed in 3.6 since fmueller@... could get it working? I doubt that.

Thanks!

This is an issue in the current snapshot build but should work fine with the last official release available. Will be fixed as of d27759b.

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement fixed sftp SFTP Protocol Implementation
Projects
None yet
Development

No branches or pull requests

2 participants