Cyberduck Mountain Duck CLI

#5148 closed defect (fixed)

Lookup of password for private key fails in Keychain

Reported by: https://www.google.com/accounts/o8/id?id=aitoawkzi_jjkcstlmduxr1f9ns-q8apyggmg-w Owned by: dkocher
Priority: normal Milestone: 3.7
Component: sftp Version: 3.6.1
Severity: blocker Keywords: private key, sftp
Cc: bradley.holt@…, cueball@… Architecture: Intel
Platform: Mac OS X 10.6

Description

I just updated from 3.5.1 to 3.6.1 I connect to all of my servers via SFTP and key authentication (passwords are disabled on the server). My private key has no password, and never did. As soon as I updated to 3.6.1, Cyberduck started to ask me for my private key password. Clicking the default button leaving the password empty does not solve the issue. I rechecked in Terminal and my key is still unprotected by passwords, and I can log into my servers via ssh.

Attachments (2)

jan_settings.png (54.9 KB) - added by https://www.google.com/accounts/o8/id?id=aitoawmq5en6knjocnovu6ny_jf5ezv90ugs26w on Sep 8, 2010 at 11:58:47 AM.
Settings for an affected connection
jan_dialog.png (43.4 KB) - added by https://www.google.com/accounts/o8/id?id=aitoawmq5en6knjocnovu6ny_jf5ezv90ugs26w on Sep 8, 2010 at 11:59:32 AM.
The dialog that comes up after trying to connect

Download all attachments as: .zip

Change History (28)

comment:1 Changed on Sep 7, 2010 at 1:32:28 PM by dkocher

  • Component changed from core to sftp

comment:2 Changed on Sep 7, 2010 at 8:14:35 PM by dkocher

  • Milestone set to 4.0
  • Status changed from new to assigned

comment:3 Changed on Sep 7, 2010 at 8:32:55 PM by bradley-holt

  • Cc bradley.holt@… added

comment:4 Changed on Sep 8, 2010 at 6:49:48 AM by http://theonlycueball.myopenid.com/

I can also confirm this issue, with same diagnosis after upgrade to 3.6.1 from 3.5.1.

Mac OS X 10.6.4. Command line SFTP to the same servers still remains functional.

Please advise if additional information required; I'll be reverting to 3.5.1 in interim.

comment:5 follow-up: Changed on Sep 8, 2010 at 9:46:01 AM by dkocher

I cannot yet replicate the issue. Do you have a username set in the bookmark setting? As of r6909 the login prompt can be dismissed without a password entered when using public key authentication.

comment:6 in reply to: ↑ 5 Changed on Sep 8, 2010 at 10:41:03 AM by http://theonlycueball.myopenid.com/

Replying to dkocher:

I cannot yet replicate the issue. Do you have a username set in the bookmark setting? As of r6909 the login prompt can be dismissed without a password entered when using public key authentication.

"Username set in the bookmark?" Absolutely - otherwise it'd be difficult for the remote machine to know where to look for the public key [generally in ~username/.ssh/authorized_keys].

I'm gonna be occupied for the next few hours, but I'll endeavour to pull down the trunk and build it to see if r6909 behaves correctly.

comment:7 Changed on Sep 8, 2010 at 11:57:56 AM by https://www.google.com/accounts/o8/id?id=aitoawmq5en6knjocnovu6ny_jf5ezv90ugs26w

I can confirm this issue. Just updated and can't login to my servers anymore. I have attached two screenshots to show the problem (jan_dialog and jan_settings)

Changed on Sep 8, 2010 at 11:58:47 AM by https://www.google.com/accounts/o8/id?id=aitoawmq5en6knjocnovu6ny_jf5ezv90ugs26w

Settings for an affected connection

Changed on Sep 8, 2010 at 11:59:32 AM by https://www.google.com/accounts/o8/id?id=aitoawmq5en6knjocnovu6ny_jf5ezv90ugs26w

The dialog that comes up after trying to connect

comment:8 Changed on Sep 8, 2010 at 12:15:05 PM by https://www.google.com/accounts/o8/id?id=aitoawkzi_jjkcstlmduxr1f9ns-q8apyggmg-w

I can tell you that I feel the bug when connecting to a Mac OS X Server box, a Debian Linux and a CentOS, so it does not seem to depend on the serverside OS. The bug is there when I connect from a bookmark and also when I type the address and credentials from scratch in the "New connection" box. It makes no difference whether the username is identical to my local username or a different one (I tried root).

comment:9 Changed on Sep 8, 2010 at 12:19:07 PM by https://www.google.com/accounts/o8/id?id=aitoawkzi_jjkcstlmduxr1f9ns-q8apyggmg-w

I don't know if this helps, probably not, but this is what ends up in my Console

08/09/10 14.12.34	[0x0-0x4b04b].ch.sudo.cyberduck[766]	2010-09-08 14:12:34,741 [main] ERROR ch.cyberduck.core.sftp.SFTPSession - Connection attempt canceled
08/09/10 14.13.17	Cyberduck[766]	Could not find image named 'login'.
Last edited on Sep 8, 2010 at 12:53:43 PM by dkocher (previous) (diff)

comment:10 follow-up: Changed on Sep 8, 2010 at 12:21:47 PM by https://www.google.com/accounts/o8/id?id=aitoawmq5en6knjocnovu6ny_jf5ezv90ugs26w

I have downgraded to 3.5.1 now which you can find on Apples software page

http://apple.com/downloads/macosx/internet_utilities/cyberduck.html

comment:11 in reply to: ↑ 10 Changed on Sep 8, 2010 at 12:50:48 PM by dkocher

Replying to https://www.google.com/accounts/o8/id?id=aitoawmq5en6knjocnovu6ny_jf5ezv90ugs26w:

I have downgraded to 3.5.1 now which you can find on Apples software page

http://apple.com/downloads/macosx/internet_utilities/cyberduck.html

Previous releases are always available at http://cyberduck.ch/changelog/

comment:12 Changed on Sep 8, 2010 at 1:20:35 PM by dkocher

Can you confirm that in your private key at the beginning there is no such thing as Proc-Type: 4,ENCRYPTED.

comment:13 follow-up: Changed on Sep 8, 2010 at 1:26:53 PM by https://www.google.com/accounts/o8/id?id=aitoawmq5en6knjocnovu6ny_jf5ezv90ugs26w

There is:

-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2E47CAC88030866B

...

comment:14 in reply to: ↑ 13 Changed on Sep 8, 2010 at 1:29:53 PM by dkocher

Replying to https://www.google.com/accounts/o8/id?id=aitoawmq5en6knjocnovu6ny_jf5ezv90ugs26w:

There is:

-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2E47CAC88030866B

...

From what I know this means your private key is password protected.

comment:15 Changed on Sep 8, 2010 at 1:36:44 PM by dkocher

The issue is that our lookup for the password of the private key in the keychain fails. (We previously looke for the password in the keychain with the abreviated filename of the private key (such as ~/.ssh/id_dsa) to be compatible with SSHKeychain.

comment:16 Changed on Sep 8, 2010 at 1:38:07 PM by dkocher

  • Milestone changed from 4.0 to 3.6.2
  • Resolution set to fixed
  • Status changed from assigned to closed

In r6916.

comment:17 Changed on Sep 15, 2010 at 7:22:35 PM by dkocher

  • Summary changed from Public Key without password stopped working to Lookup of password for private key fails in Keychain

comment:18 follow-up: Changed on Sep 22, 2010 at 8:21:08 PM by http://theonlycueball.myopenid.com/

  • Cc cueball@… added
  • Resolution fixed deleted
  • Status changed from closed to reopened

There appears to be a regression in build 7035 that leads to this bug once again rearing its unfortunate head.

Have reverted back to build 7015, as the problem doesn't exist in that nightly build.

comment:19 in reply to: ↑ 18 Changed on Sep 23, 2010 at 8:37:16 AM by dkocher

  • Resolution set to wontfix
  • Status changed from reopened to closed

Replying to http://theonlycueball.myopenid.com/:

There appears to be a regression in build 7035 that leads to this bug once again rearing its unfortunate head.

Have reverted back to build 7015, as the problem doesn't exist in that nightly build.

Decided to break backward compatibility with SSHKeychain in r7027. You have to reenter the SSH private key password.

comment:20 Changed on Sep 24, 2010 at 2:25:19 PM by dkocher

  • Resolution wontfix deleted
  • Status changed from closed to reopened

comment:21 Changed on Sep 24, 2010 at 2:26:21 PM by dkocher

  • Resolution set to fixed
  • Status changed from reopened to closed

Backward compatiblity in r7057.

comment:23 Changed on Mar 13, 2011 at 7:17:48 AM by Cueball

After I encountered this bug again some time ago, I stopped updating nightly builds again and stuck with build 8001 [which works for me.]

Since it was deemed "fixed", I really wasn't about the belabour the point again in case there was just something hinky with my config. Apparently I'm not the only one seeing this problem still...

Perhaps a unit test for this case to avoid the issue in future? :-)

comment:24 follow-up: Changed on Nov 2, 2011 at 12:25:30 PM by elmimmo

Decided to break backward compatibility with SSHKeychain in r7027

Cyberduck (tried 4.1 (8911)) should still IMHO be finding the password for my private key in Keychain.

In OS X 10.6 Snow Leopard at least, when you open an SSH connection through the Terminal with the ssh command with a server that has your public key, you are asked with a secure Cocoa dialog (not prompt) to "Enter your password for the SSH Key 'id_rsa'." (if that is the name where your private key resides), with the option to "Save password in Keychain". If one ticks that, on a subsequent connection ssh-agent will ask to have access to the keychain where the password for the private key resides in order to be able to open the connection with that private key without prompting for its password.

In other words, OS X does have a method for storing and reading the password for private keys in the Keychain without any need of third party software such as SSHKeychain.

It would be nice if Cyberduck detected OS X-saved password to my private key in the Keychain, and asked me for access to it, instead of asking the password to my private key (just as a note, Transmit 4 does).

Last edited on Nov 2, 2011 at 1:24:22 PM by dkocher (previous) (diff)

comment:25 in reply to: ↑ 24 ; follow-up: Changed on Nov 2, 2011 at 1:03:11 PM by dkocher

Replying to elmimmo:

Decided to break backward compatibility with SSHKeychain in r7027

Cyberduck (tried 4.1 (8911)) should still IMHO be finding the password for my private key in Keychain.

In OS X 10.6 Snow Leopard at least, when you open an SSH connection through the Terminal with the ssh command with a server that has your public key, you are asked with a secure Cocoa dialog (not prompt) to "Enter your password for the SSH Key 'id_rsa'." (if that is the name where your private key resides), with the option to "Save password in Keychain". If one ticks that, on a subsequent connection ssh-agent will ask to have access to the keychain where the password for the private key resides in order to be able to open the connection with that private key without prompting for its password.

In other words, OS X does have a method for storing and reading the password for private keys in the Keychain without any need of third party software such as SSHKeychain.

It would be nice if Cyberduck detected OS X-saved password to my private key in the Keychain, and asked me for access to it, instead of asking the password to my private key (just as a note, Transmit 4 does).

Great suggestion. We should try to be interoperable with Terminal.app here.

Last edited on Nov 2, 2011 at 1:24:06 PM by dkocher (previous) (diff)

comment:26 in reply to: ↑ 25 Changed on Nov 2, 2011 at 1:25:09 PM by dkocher

Replying to dkocher:

Replying to elmimmo:

Decided to break backward compatibility with SSHKeychain in r7027

Cyberduck (tried 4.1 (8911)) should still IMHO be finding the password for my private key in Keychain.

In OS X 10.6 Snow Leopard at least, when you open an SSH connection through the Terminal with the ssh command with a server that has your public key, you are asked with a secure Cocoa dialog (not prompt) to "Enter your password for the SSH Key 'id_rsa'." (if that is the name where your private key resides), with the option to "Save password in Keychain". If one ticks that, on a subsequent connection ssh-agent will ask to have access to the keychain where the password for the private key resides in order to be able to open the connection with that private key without prompting for its password.

In other words, OS X does have a method for storing and reading the password for private keys in the Keychain without any need of third party software such as SSHKeychain.

It would be nice if Cyberduck detected OS X-saved password to my private key in the Keychain, and asked me for access to it, instead of asking the password to my private key (just as a note, Transmit 4 does).

Great suggestion. We should try to be interoperable with Terminal.app here.

OpenSSH interoperability in r9103.

comment:27 Changed on Mar 1, 2012 at 11:05:18 AM by Elmimmo

How does r9103 work? I downloaded the nightly Cyberduck-9393 but I am still asked to specify a private key file, and even if manually specified, Keychain access never asks me to unlock the keychain where the password to my private key resides.

Note: See TracTickets for help on using tickets.
swiss made software