Cyberduck Mountain Duck CLI

Opened 9 years ago

Closed 9 years ago

Last modified 8 years ago

#4459 closed enhancement (fixed)

SecurID

Reported by: fmueller@… Owned by: dkocher
Priority: normal Milestone: 3.5
Component: sftp Version: 3.4.2
Severity: normal Keywords: SecurID
Cc: Architecture: Intel
Platform: Mac OS X 10.6

Description

Hi, Would it be possible to support access to servers that need an authentification key/passcode that is generated by a dongle? I am using an RSA SecurID generator. Thanks!

Change History (29)

comment:1 Changed 9 years ago by anonymous

I'm looking for this feature as well. WinSCP supports this but is not available for OSX. I have yet to find a solution.

comment:2 Changed 9 years ago by yla

  • Component changed from core to sftp

Challenge-Response authentication schemes like SecurID should already be supported. Due to the lack of a SecurID infrastructure this feature is completely untested though. While authenticating I would expect a login popup where you can enter the current SecurID code.

In order to properly implement this feature we are dependent on your help. Could you please try to connect to a SecureID enabled server and let me know what happened.

comment:3 follow-up: Changed 9 years ago by fmueller@…

I enter my username and password, but no login popup for the SecurID code occurs. Unfortunately, I have no clue on where the problem is located.

comment:4 in reply to: ↑ 3 Changed 9 years ago by dkocher

  • Milestone set to 3.5
  • Status changed from new to assigned

Replying to fmueller@…:

I enter my username and password, but no login popup for the SecurID code occurs. Unfortunately, I have no clue on where the problem is located.

This sounds like we would need to support authentication with username and password followed by the keyboard-interactive authentication for the SecurID. Such a scenario is not currently supported as the authentication schemes are implemented mutually exclusive. It is however possible to ask for remaining authentication methods and if the authentication is complete for a SSH session which is what we should do.

comment:5 Changed 9 years ago by yla

How is the password like you are entering? Normally SecurID-based authentication requires you to enter the so-called passcode (=PIN + Tokencode (concatenate both)). Please try to enter this passcode into the password field. In a SSH environment the authentication process might be different though but it's worth a try.

comment:6 Changed 9 years ago by fmueller@…

usually, if I log in via ssh on a shell I connect with: ssh USERNAME@SERVER Then I am asked for my passWORD (some character-number-string) which I enter. Subsequently I am asked for the passCODE (which is a generated 6 digit number). The expected behavior of Cyberduck would be that I enter my username and password and subsequently a window pops up where I enter my passCODE. I tried entering either the password or passcode or concatenate the two in the authentication window of cyberduck but none of these options worked

comment:7 Changed 9 years ago by dkocher

Proposed fix in r5960. Please test with the nightly build to be made available shortly.

comment:8 Changed 9 years ago by yla

Nightly build is ready.

comment:9 follow-up: Changed 9 years ago by anonymous

I tried the nightly builds 5961 and 5692. Still no popup-window.

comment:10 in reply to: ↑ 9 Changed 9 years ago by dkocher

Replying to anonymous:

I tried the nightly builds 5961 and 5692. Still no popup-window.

Is that server publicly reachable to let us debug the issue?

comment:11 follow-up: Changed 9 years ago by anonymous

well the server is called odyssey.fas.harvard.edu. I cannot give out a username or password of course, but if you try to login as any user it should ask you for a password and later for a token/passcode, too. You just cannot get onto the server.

comment:12 in reply to: ↑ 11 Changed 9 years ago by dkocher

Replying to anonymous:

well the server is called odyssey.fas.harvard.edu. I cannot give out a username or password of course, but if you try to login as any user it should ask you for a password and later for a token/passcode, too. You just cannot get onto the server.

I don't get a partial authentication success with arbitrary credentials, so this does not help with testing. I have made another change in r5969 which might make it work, tough.

comment:13 Changed 9 years ago by yla

A new nightly build with r5969 is ready.

comment:14 Changed 9 years ago by yla

Client-side command line transcript:

...
debug1: Authentications that can continue: password,keyboard-interactive
debug3: start over, passed a different list password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password: 
debug3: packet_send2: adding 32 (len 17 padlen 15 extra_pad 64)
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Enter PASSCODE:
debug3: packet_send2: adding 32 (len 15 padlen 17 extra_pad 64)
debug1: Authentications that can continue: password,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password: 
...

comment:15 follow-up: Changed 9 years ago by fmueller@…

Nightly Build 5970 does not fix the problem for me. are the changes you just posted already implemented in this version?

comment:16 Changed 9 years ago by anonymous

Wow, you guys are fast. I get the SecureID popup. I can authenticate but the problem is that the session is not cached, so after 60 seconds the key expires and I must re-authenticate (a new SecurID popup appears) and I have to continually enter a new authentication key.

If I use winSCP on windows, or just standard SSH via the terminal, I only have to enter the SecurID once.

comment:17 Changed 9 years ago by caldazar

I'm just going to detail my findings, I'll start using my username so my posts don't clash with the other anonymous posters who may have different setups.

I can authenticate with SecurID using the current stable version of Cyberduck - version 3.4.2 (5902).

My setup with SecurID, means I connect to the server using ssh -l [username] [host] and then the server responds requesting PASSCODE. Cyberduck thinks this request is for the password so I can enter my SecurID and authenticate.

I mentioned in a post above that I need to authenticate every 60 seconds once my SecurID had expired. I've found this to be wrong. Upon testing, the connection works fine - navigating folders works etc. Problems occur when I attempt to transfer a file. Upon transferring a file, Cyberduck appears to attempt to reauthenticate to start the file transfer process. This means I need to enter a new SecurID everytime a file is opened or transferred, which makes the process unusable as I work with many files each session.

comment:18 follow-up: Changed 9 years ago by caldazar

Ok, I've solved my issue - SecurID works fine now, as long as I keep my Preferences -> Transfers -> Transfer Files set to only Use Browser Connection.

A simple solution, wish I'd seen it before. Hopefully this helps others though.

comment:19 in reply to: ↑ 15 Changed 9 years ago by yla

Replying to fmueller@…:

Nightly Build 5970 does not fix the problem for me. are the changes you just posted already implemented in this version?

Tried to fix behavior according command-line transcript in r5971. Can you please try the new nightly build (5971). Please note that the prompt sheet lacks of clarity yet. In the sheet you should see the prompt text 'Enter PASSCODE' somewhere though. The username is not taken into account in the callback prompt.

comment:20 follow-up: Changed 9 years ago by anonymous

ok, now upon entering my username and password, I get a popup window that asks me for my username and password. In the infotext the serverprompt PASSCODE appears. I entered username and the current token from my generator and received a 0 error. If I only enter the token, nothing happens except for an accoustic signal.

comment:21 in reply to: ↑ 20 Changed 9 years ago by dkocher

Replying to anonymous:

ok, now upon entering my username and password, I get a popup window that asks me for my username and password. In the infotext the serverprompt PASSCODE appears. I entered username and the current token from my generator and received a 0 error. If I only enter the token, nothing happens except for an accoustic signal.

That has been fixed as of r5980.

comment:22 Changed 9 years ago by fmueller@…

could you upload a nightly build for this version, please?

comment:23 in reply to: ↑ 18 Changed 9 years ago by dkocher

Replying to caldazar:

Ok, I've solved my issue - SecurID works fine now, as long as I keep my Preferences -> Transfers -> Transfer Files set to only Use Browser Connection.

A simple solution, wish I'd seen it before. Hopefully this helps others though.

Thanks for your comment! This is to be expected when the transfer is initiated using a new session in the Transfers window because a new SSH session is initiated. The workaround is as you describe to use the browser connection already open, altough that will limit you from browsing until the transfer has finished.

comment:24 Changed 9 years ago by dkocher

  • Resolution set to fixed
  • Status changed from assigned to closed

A new nightly build will be available within a few hours.

comment:25 Changed 9 years ago by yla

A new nightly build is now available.

comment:26 follow-up: Changed 9 years ago by fmueller@…

Thank you so much! It works! I just have one improvement suggestion: So far, I have to enter my username again when I enter the token (after I have already entered username and password). would it be possible to store the username for the token query?

comment:27 in reply to: ↑ 26 Changed 9 years ago by dkocher

Replying to fmueller@…:

Thank you so much! It works! I just have one improvement suggestion: So far, I have to enter my username again when I enter the token (after I have already entered username and password). would it be possible to store the username for the token query?

In r5994.

comment:28 follow-up: Changed 8 years ago by SandorL

  • Architecture set to Intel

Hi, I cannot get this working on #6205 even though I'd use it for the exact same server as fmueller@... did. Of course, many things might go wrong with my SSH configuration or anything else, but I could not find more detailed instructions how I should I use this feature.

My problem is that I am prompted for my password when trying to open a connection, I guess, but the dialog box already says something about my passcode at the first time -- but that should still be for my password only! If I give it the password, the passcode, or even both concatenated, there is no new dialog box, but no connection open either (a green dot next to the connection among my bookmarks, but no connection open).

Could you help me track this down? Has anything changed in 3.6 since fmueller@... could get it working? I doubt that.

Thanks!

comment:29 in reply to: ↑ 28 Changed 8 years ago by dkocher

Replying to SandorL:

Hi, I cannot get this working on #6205 even though I'd use it for the exact same server as fmueller@... did. Of course, many things might go wrong with my SSH configuration or anything else, but I could not find more detailed instructions how I should I use this feature.

My problem is that I am prompted for my password when trying to open a connection, I guess, but the dialog box already says something about my passcode at the first time -- but that should still be for my password only! If I give it the password, the passcode, or even both concatenated, there is no new dialog box, but no connection open either (a green dot next to the connection among my bookmarks, but no connection open).

Could you help me track this down? Has anything changed in 3.6 since fmueller@... could get it working? I doubt that.

Thanks!

This is an issue in the current snapshot build but should work fine with the last official release available. Will be fixed as of r6225.

Note: See TracTickets for help on using tickets.
swiss made software