Cyberduck Mountain Duck CLI

#75 closed enhancement (fixed)

Public key authentication using SSH agent

Reported by: anonymous Owned by: dkocher
Priority: normal Milestone: 4.5
Component: sftp Version: 2.5.3
Severity: normal Keywords:
Cc: melo@…, glyph@… Architecture:
Platform:

Description

It would be a quite nice and useful enhancement if SSH public key authentification would use a running SSH agent.

Pointer to OpenSSH code: authfd.c

Attachments (1)

,ssh-agent.1.diff (176.4 KB) - added by asf@… on Sep 25, 2006 at 8:51:38 PM.
sshtools.com agent code integration, jbus integration, agent use and fallback in SFTP connections

Download all attachments as: .zip

Change History (33)

comment:1 Changed on Jan 11, 2006 at 10:45:46 PM by Piotr Banasik <piotr.banasik@…>

I second this, it seems natural to be able to SSH Agent to connect to SFTP, but Cyberduck can't do it (yet? =), is there a timeline for getting this feature working (is the 2.6 milestone realistic, and if it is is there a target date for the 2.6 release?)

Thanks

comment:2 Changed on Jan 27, 2006 at 2:27:01 AM by melo@…

  • Cc melo@… added

I'm new to Cyberduck, but this was the first option I searched... :)

If this is planned for a future version, great! It would be nice to work with some of the GUI ssh-agent interfaces like SSHKeychain for example.

It should be easy enough: SSHKeychain places the ssh-agent pipe in a specific place, easy to find.

Thanks,

comment:3 Changed on Jan 30, 2006 at 9:51:22 PM by dkocher

  • Status changed from new to assigned

comment:4 Changed on Feb 14, 2006 at 4:21:34 PM by dkocher

  • Summary changed from Feature request: SSH public key authentification using SSH agent to SSH public key authentification using SSH agent

comment:5 Changed on Apr 26, 2006 at 4:39:45 PM by kL

I'm actually having trouble with running shell ssh-agent and I like that CyberDuck allows me to choose the right key. I'd like old behavior kept, even if external agent is supported.

comment:6 Changed on Jun 19, 2006 at 3:17:04 PM by gerrit@…

i second that wish. it seems wasteful and potentially insecure having to save the credentials in the keychain when there is a ssh-agent running.

comment:7 Changed on Aug 2, 2006 at 9:50:24 PM by asf@…

I second (third? fourth?) that wish. SSHKeychain is too useful to be ignored by cyberduck. (:

comment:8 Changed on Aug 2, 2006 at 10:05:35 PM by Piotr Banasik <piotr.banasik@…>

I'd like to clarify/stress the point that we're not even talking about support for a specific app (ie. SSHKeychain) .. but for the openssh key agent support, which is a much more open interface, and is the standard for holding onto ssh keys

comment:9 Changed on Aug 3, 2006 at 7:03:31 AM by asf@…

Piotr: you're right, sorry for bringing a specific app into the discussion; it just happens to be what I use.

comment:10 Changed on Sep 5, 2006 at 3:12:37 PM by anonymous

I also agree that ssh-agent support, no matter what other apps may be involved to help manage it, is important. Fugu does this well but Cyberduck doesn't, and it feels like a race between it and Fetch to get there first.

comment:11 Changed on Sep 14, 2006 at 1:37:00 AM by anonymous

mod up

comment:12 Changed on Sep 19, 2006 at 6:54:28 PM by jauricchio.NOSPAM@…

bump.

please! =]

comment:13 Changed on Sep 25, 2006 at 8:49:42 PM by asf@…

I have code that integrates the sshtools.com agent code into cyberduck, adds unix domain socket via jbuds (see freshmeat.net) for local ssh agent connections, and defaults to trying the agent first.

So far, it's looking pretty good: trying to use the agent and falls back to asking for a passphrase if the agent fails.

The problem is that the sshtools.com agent code isn't working. The primary reason for this is that the sshtools.com agent code does not speak the openssh authentication protocol, which is used by many agents, instead speaking only ssh.com's agent protocol. After I discovered this, I gave up; but I believe the code can still be put to use by somebody who is willing to invest an afternoon or so, and implements the auth agent protocol correctly.

openssh's code is a good reference for that. I suggest starting with authfd.c and authfd.h. You'll have to rewrite a few of the java message classes, and several methods in SshAgentClient.java. I've started already by assigning the correct message number to SshAgentFailure (5 instead of 102) (-:

There are also a few UI things left to iron out: maybe include an "I want to use the agent" checkbox, and if the agent isn't unlocked, ask for the passphrase.

I'm attaching my diff against current svn (hope that this works for you, I'm a total xcode newbie). To whomever will finally implement this: You have my gratitude and respect.

Changed on Sep 25, 2006 at 8:51:38 PM by asf@…

sshtools.com agent code integration, jbus integration, agent use and fallback in SFTP connections

comment:14 Changed on Sep 25, 2006 at 9:10:34 PM by Piotr Banasik <piotr.banasik@…>

Has anyone considered borrowing the ssh agent implementation from Fugu? it is open source and BSD licencened .. I'm sure they wouldn't mind sharing the ssh agent integration.

Just a thought

comment:15 Changed on Sep 25, 2006 at 10:08:18 PM by asf@…

The reason for not using fugu's ssh agent code is that fugu is written in objective C and uses the openssh binary tools directly, and most of cyberduck is written in java, including its own ssh client in java (called j2ssh, from sshtools.com). That means you'd either have to dump & re-write the entire ssh/sftp backend (not so pleasant, IMHO), or try to come up with an ssh agent client in java that works with the existing j2ssh code.

comment:16 Changed on Sep 25, 2006 at 10:11:58 PM by Piotr Banasik <piotr.banasik@…>

Ah .. I see .. thanks for the clarification .. I sort of assumed CD would have been written in Objective C

comment:17 Changed on Jun 6, 2007 at 10:21:15 PM by llbbl

I think rewriting it in objective c while borrowing as much as possible from fugu is the best way to go. The current implementation is rather clunky ><. Fugu is a speed daemon compared to cyberduck when it comes to SSH/SFTP transfers.

Maybe we need a fundraising drive or something like wikipedia does. David and the other developers might be more receptive to changing things over to objective c, if the community could come up with a 20K.

comment:18 Changed on Jun 7, 2007 at 8:49:37 AM by dkocher

Cyberduck uses Ganymed by now. One would have to add ssh-agent support there.

comment:19 Changed on Dec 7, 2007 at 7:27:52 AM by dkocher

  • Component changed from core to sftp

comment:20 Changed on Mar 17, 2008 at 9:27:10 PM by dkocher

  • Milestone 3.0 deleted

comment:21 Changed on Aug 18, 2013 at 8:39:35 PM by dkocher

See also #5259 (Pageant, SSH authentication agent for PuTTY).

Last edited on Sep 23, 2013 at 3:30:51 PM by dkocher (previous) (diff)

comment:22 Changed on Apr 8, 2014 at 11:23:33 AM by dkocher

  • Milestone set to 4.5

comment:23 Changed on Apr 11, 2014 at 10:27:31 AM by dkocher

  • Summary changed from SSH public key authentification using SSH agent to Public key authentification using SSH agent

comment:24 Changed on Apr 24, 2014 at 8:33:23 PM by dkocher

  • Summary changed from Public key authentification using SSH agent to Public key authentication using SSH agent

comment:25 Changed on Apr 24, 2014 at 8:34:25 PM by dkocher

  • Resolution set to fixed
  • Status changed from assigned to closed

In r14509. Support for both OpenSSH on Mac and PuTTY Pageant on Windows.

comment:26 Changed on Oct 1, 2014 at 5:42:14 AM by glyph lefkowitz

Hi there cyberduck,

I just tried to use this feature on version 4.5.2 (website download, not MAS release). It didn't work, but I didn't see any UI that exposed it, so I'm not sure how to tell if I'm doing it right. How is one supposed to set up agent authentication?

-glyph

comment:27 Changed on Oct 1, 2014 at 5:46:33 AM by glyph lefkowitz

  • Cc glyph@… added

comment:29 follow-up: Changed on Oct 1, 2014 at 5:59:27 PM by glyph lefkowitz

Thanks for adding the documentation!

That is indeed what I expected to happen; my keys are in my agent, my command-line 'ssh' connections work, I didn't enter a password, but Cyberduck still prompts me for a password or public key.

Do I need to create a bookmark first for this to work?

comment:30 Changed on Oct 1, 2014 at 8:20:58 PM by dkocher

Additional fixes in r15240 and r15241.

comment:31 in reply to: ↑ 29 ; follow-up: Changed on Oct 1, 2014 at 8:21:53 PM by dkocher

Replying to glyph lefkowitz:

Thanks for adding the documentation!

That is indeed what I expected to happen; my keys are in my agent, my command-line 'ssh' connections work, I didn't enter a password, but Cyberduck still prompts me for a password or public key.

Please update to the latest snapshot build available.

comment:32 in reply to: ↑ 31 Changed on Oct 1, 2014 at 9:10:58 PM by glyph lefkowitz

Replying to dkocher:

Replying to glyph lefkowitz:

Thanks for adding the documentation!

That is indeed what I expected to happen; my keys are in my agent, my command-line 'ssh' connections work, I didn't enter a password, but Cyberduck still prompts me for a password or public key.

Please update to the latest snapshot build available.

I tried updating to a snapshot build and it didn't help.

The problem appears to be with the case where the host is not initially known; in that case, if I accept and do not check "always", it doesn't check my authentication agent. For some reason even though I have set HashKnownHosts no in my SSH config (to play better with bash hostname completion), CyberDuck can only use hashed hostnames, so I was not accepting the host key persistently while I was looking for that setting.

Note: See TracTickets for help on using tickets.
swiss made software