Cyberduck Mountain Duck CLI

Opened 13 years ago

Closed 5 years ago

Last modified 4 years ago

#75 closed enhancement (fixed)

Public key authentication using SSH agent

Reported by: anonymous Owned by: dkocher
Priority: normal Milestone: 4.5
Component: sftp Version: 2.5.3
Severity: normal Keywords:
Cc: melo@…, glyph@… Architecture:
Platform:

Description

It would be a quite nice and useful enhancement if SSH public key authentification would use a running SSH agent.

Pointer to OpenSSH code: authfd.c

Attachments (1)

,ssh-agent.1.diff (176.4 KB) - added by asf@… 12 years ago.
sshtools.com agent code integration, jbus integration, agent use and fallback in SFTP connections

Download all attachments as: .zip

Change History (33)

comment:1 Changed 13 years ago by Piotr Banasik <piotr.banasik@…>

I second this, it seems natural to be able to SSH Agent to connect to SFTP, but Cyberduck can't do it (yet? =), is there a timeline for getting this feature working (is the 2.6 milestone realistic, and if it is is there a target date for the 2.6 release?)

Thanks

comment:2 Changed 13 years ago by melo@…

  • Cc melo@… added

I'm new to Cyberduck, but this was the first option I searched... :)

If this is planned for a future version, great! It would be nice to work with some of the GUI ssh-agent interfaces like SSHKeychain for example.

It should be easy enough: SSHKeychain places the ssh-agent pipe in a specific place, easy to find.

Thanks,

comment:3 Changed 13 years ago by dkocher

  • Status changed from new to assigned

comment:4 Changed 13 years ago by dkocher

  • Summary changed from Feature request: SSH public key authentification using SSH agent to SSH public key authentification using SSH agent

comment:5 Changed 13 years ago by kL

I'm actually having trouble with running shell ssh-agent and I like that CyberDuck allows me to choose the right key. I'd like old behavior kept, even if external agent is supported.

comment:6 Changed 12 years ago by gerrit@…

i second that wish. it seems wasteful and potentially insecure having to save the credentials in the keychain when there is a ssh-agent running.

comment:7 Changed 12 years ago by asf@…

I second (third? fourth?) that wish. SSHKeychain is too useful to be ignored by cyberduck. (:

comment:8 Changed 12 years ago by Piotr Banasik <piotr.banasik@…>

I'd like to clarify/stress the point that we're not even talking about support for a specific app (ie. SSHKeychain) .. but for the openssh key agent support, which is a much more open interface, and is the standard for holding onto ssh keys

comment:9 Changed 12 years ago by asf@…

Piotr: you're right, sorry for bringing a specific app into the discussion; it just happens to be what I use.

comment:10 Changed 12 years ago by anonymous

I also agree that ssh-agent support, no matter what other apps may be involved to help manage it, is important. Fugu does this well but Cyberduck doesn't, and it feels like a race between it and Fetch to get there first.

comment:11 Changed 12 years ago by anonymous

mod up

comment:12 Changed 12 years ago by jauricchio.NOSPAM@…

bump.

please! =]

comment:13 Changed 12 years ago by asf@…

I have code that integrates the sshtools.com agent code into cyberduck, adds unix domain socket via jbuds (see freshmeat.net) for local ssh agent connections, and defaults to trying the agent first.

So far, it's looking pretty good: trying to use the agent and falls back to asking for a passphrase if the agent fails.

The problem is that the sshtools.com agent code isn't working. The primary reason for this is that the sshtools.com agent code does not speak the openssh authentication protocol, which is used by many agents, instead speaking only ssh.com's agent protocol. After I discovered this, I gave up; but I believe the code can still be put to use by somebody who is willing to invest an afternoon or so, and implements the auth agent protocol correctly.

openssh's code is a good reference for that. I suggest starting with authfd.c and authfd.h. You'll have to rewrite a few of the java message classes, and several methods in SshAgentClient.java. I've started already by assigning the correct message number to SshAgentFailure (5 instead of 102) (-:

There are also a few UI things left to iron out: maybe include an "I want to use the agent" checkbox, and if the agent isn't unlocked, ask for the passphrase.

I'm attaching my diff against current svn (hope that this works for you, I'm a total xcode newbie). To whomever will finally implement this: You have my gratitude and respect.

Changed 12 years ago by asf@…

sshtools.com agent code integration, jbus integration, agent use and fallback in SFTP connections

comment:14 Changed 12 years ago by Piotr Banasik <piotr.banasik@…>

Has anyone considered borrowing the ssh agent implementation from Fugu? it is open source and BSD licencened .. I'm sure they wouldn't mind sharing the ssh agent integration.

Just a thought

comment:15 Changed 12 years ago by asf@…

The reason for not using fugu's ssh agent code is that fugu is written in objective C and uses the openssh binary tools directly, and most of cyberduck is written in java, including its own ssh client in java (called j2ssh, from sshtools.com). That means you'd either have to dump & re-write the entire ssh/sftp backend (not so pleasant, IMHO), or try to come up with an ssh agent client in java that works with the existing j2ssh code.

comment:16 Changed 12 years ago by Piotr Banasik <piotr.banasik@…>

Ah .. I see .. thanks for the clarification .. I sort of assumed CD would have been written in Objective C

comment:17 Changed 11 years ago by llbbl

I think rewriting it in objective c while borrowing as much as possible from fugu is the best way to go. The current implementation is rather clunky ><. Fugu is a speed daemon compared to cyberduck when it comes to SSH/SFTP transfers.

Maybe we need a fundraising drive or something like wikipedia does. David and the other developers might be more receptive to changing things over to objective c, if the community could come up with a 20K.

comment:18 Changed 11 years ago by dkocher

Cyberduck uses Ganymed by now. One would have to add ssh-agent support there.

comment:19 Changed 11 years ago by dkocher

  • Component changed from core to sftp

comment:20 Changed 11 years ago by dkocher

  • Milestone 3.0 deleted

comment:21 Changed 5 years ago by dkocher

See also #5259 (Pageant, SSH authentication agent for PuTTY).

Last edited 5 years ago by dkocher (previous) (diff)

comment:22 Changed 5 years ago by dkocher

  • Milestone set to 4.5

comment:23 Changed 5 years ago by dkocher

  • Summary changed from SSH public key authentification using SSH agent to Public key authentification using SSH agent

comment:24 Changed 5 years ago by dkocher

  • Summary changed from Public key authentification using SSH agent to Public key authentication using SSH agent

comment:25 Changed 5 years ago by dkocher

  • Resolution set to fixed
  • Status changed from assigned to closed

In r14509. Support for both OpenSSH on Mac and PuTTY Pageant on Windows.

comment:26 Changed 4 years ago by glyph lefkowitz

Hi there cyberduck,

I just tried to use this feature on version 4.5.2 (website download, not MAS release). It didn't work, but I didn't see any UI that exposed it, so I'm not sure how to tell if I'm doing it right. How is one supposed to set up agent authentication?

-glyph

comment:27 Changed 4 years ago by glyph lefkowitz

  • Cc glyph@… added

comment:28 Changed 4 years ago by dkocher

Documentation forthcoming in Public key authentication using SSH agent.

comment:29 follow-up: Changed 4 years ago by glyph lefkowitz

Thanks for adding the documentation!

That is indeed what I expected to happen; my keys are in my agent, my command-line 'ssh' connections work, I didn't enter a password, but Cyberduck still prompts me for a password or public key.

Do I need to create a bookmark first for this to work?

comment:30 Changed 4 years ago by dkocher

Additional fixes in r15240 and r15241.

comment:31 in reply to: ↑ 29 ; follow-up: Changed 4 years ago by dkocher

Replying to glyph lefkowitz:

Thanks for adding the documentation!

That is indeed what I expected to happen; my keys are in my agent, my command-line 'ssh' connections work, I didn't enter a password, but Cyberduck still prompts me for a password or public key.

Please update to the latest snapshot build available.

comment:32 in reply to: ↑ 31 Changed 4 years ago by glyph lefkowitz

Replying to dkocher:

Replying to glyph lefkowitz:

Thanks for adding the documentation!

That is indeed what I expected to happen; my keys are in my agent, my command-line 'ssh' connections work, I didn't enter a password, but Cyberduck still prompts me for a password or public key.

Please update to the latest snapshot build available.

I tried updating to a snapshot build and it didn't help.

The problem appears to be with the case where the host is not initially known; in that case, if I accept and do not check "always", it doesn't check my authentication agent. For some reason even though I have set HashKnownHosts no in my SSH config (to play better with bash hostname completion), CyberDuck can only use hashed hostnames, so I was not accepting the host key persistently while I was looking for that setting.

Note: See TracTickets for help on using tickets.
swiss made software