Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Public key authentication using SSH agent #12024

Closed
cyberduck opened this issue Jan 4, 2006 · 24 comments
Closed

Public key authentication using SSH agent #12024

cyberduck opened this issue Jan 4, 2006 · 24 comments
Assignees
Labels
enhancement fixed sftp SFTP Protocol Implementation
Milestone

Comments

@cyberduck
Copy link
Collaborator

anonymous created the issue

It would be a quite nice and useful enhancement if SSH public key authentification would
use a running SSH agent.

Pointer to OpenSSH code: authfd.c


Attachments

@cyberduck
Copy link
Collaborator Author

03c71ae commented

I second this, it seems natural to be able to SSH Agent to connect to SFTP, but Cyberduck can't do it (yet? =), is there a timeline for getting this feature working (is the 2.6 milestone realistic, and if it is is there a target date for the 2.6 release?)

Thanks

@cyberduck
Copy link
Collaborator Author

1580cdf commented

I'm new to Cyberduck, but this was the first option I searched... :)

If this is planned for a future version, great! It would be nice to work with some of the GUI ssh-agent interfaces like SSHKeychain for example.

It should be easy enough: SSHKeychain places the ssh-agent pipe in a specific place, easy to find.

Thanks,

@cyberduck
Copy link
Collaborator Author

kL commented

I'm actually having trouble with running shell ssh-agent and I like that CyberDuck allows me to choose the right key. I'd like old behavior kept, even if external agent is supported.

@cyberduck
Copy link
Collaborator Author

9e51f13 commented

i second that wish. it seems wasteful and potentially insecure having to save the credentials in the keychain when there is a ssh-agent running.

@cyberduck
Copy link
Collaborator Author

e764e3e commented

I second (third? fourth?) that wish. SSHKeychain is too useful to be ignored by cyberduck. (:

@cyberduck
Copy link
Collaborator Author

03c71ae commented

I'd like to clarify/stress the point that we're not even talking about support for a specific app (ie. SSHKeychain) .. but for the openssh key agent support, which is a much more open interface, and is the standard for holding onto ssh keys

@cyberduck
Copy link
Collaborator Author

e764e3e commented

Piotr: you're right, sorry for bringing a specific app into the discussion; it just happens to be what I use.

@cyberduck
Copy link
Collaborator Author

anonymous commented

I also agree that ssh-agent support, no matter what other apps may be involved to help manage it, is important. Fugu does this well but Cyberduck doesn't, and it feels like a race between it and Fetch to get there first.

@cyberduck
Copy link
Collaborator Author

anonymous commented

mod up

@cyberduck
Copy link
Collaborator Author

aad5ed5 commented

bump.

please! =]

@cyberduck
Copy link
Collaborator Author

e764e3e commented

I have code that integrates the sshtools.com agent code into cyberduck, adds unix domain socket via jbuds (see freshmeat.net) for local ssh agent connections, and defaults to trying the agent first.

So far, it's looking pretty good: trying to use the agent and falls back to asking for a passphrase if the agent fails.

The problem is that the sshtools.com agent code isn't working. The primary reason for this is that the sshtools.com agent code does not speak the openssh authentication protocol, which is used by many agents, instead speaking only ssh.com's agent protocol. After I discovered this, I gave up; but I believe the code can still be put to use by somebody who is willing to invest an afternoon or so, and implements the auth agent protocol correctly.

openssh's code is a good reference for that. I suggest starting with authfd.c and authfd.h. You'll have to rewrite a few of the java message classes, and several methods in SshAgentClient.java. I've started already by assigning the correct message number to SshAgentFailure (5 instead of 102) (-:

There are also a few UI things left to iron out: maybe include an "I want to use the agent" checkbox, and if the agent isn't unlocked, ask for the passphrase.

I'm attaching my diff against current svn (hope that this works for you, I'm a total xcode newbie). To whomever will finally implement this: You have my gratitude and respect.

@cyberduck
Copy link
Collaborator Author

03c71ae commented

Has anyone considered borrowing the ssh agent implementation from Fugu? it is open source and BSD licencened .. I'm sure they wouldn't mind sharing the ssh agent integration.

Just a thought

@cyberduck
Copy link
Collaborator Author

e764e3e commented

The reason for not using fugu's ssh agent code is that fugu is written in objective C and uses the openssh binary tools directly, and most of cyberduck is written in java, including its own ssh client in java (called j2ssh, from sshtools.com). That means you'd either have to dump & re-write the entire ssh/sftp backend (not so pleasant, IMHO), or try to come up with an ssh agent client in java that works with the existing j2ssh code.

@cyberduck
Copy link
Collaborator Author

03c71ae commented

Ah .. I see .. thanks for the clarification .. I sort of assumed CD would have been written in Objective C

@cyberduck
Copy link
Collaborator Author

0302cb0 commented

I think rewriting it in objective c while borrowing as much as possible from fugu is the best way to go. The current implementation is rather clunky ><. Fugu is a speed daemon compared to cyberduck when it comes to SSH/SFTP transfers.

Maybe we need a fundraising drive or something like wikipedia does. David and the other developers might be more receptive to changing things over to objective c, if the community could come up with a 20K.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Cyberduck uses Ganymed by now. One would have to add ssh-agent support there.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

See also #5259 (Pageant, SSH authentication agent for PuTTY).

@cyberduck
Copy link
Collaborator Author

@dkocher commented

In 17f5c5b. Support for both OpenSSH on Mac and PuTTY Pageant on Windows.

@cyberduck
Copy link
Collaborator Author

13a0f88 commented

Hi there cyberduck,

I just tried to use this feature on version 4.5.2 (website download, not MAS release). It didn't work, but I didn't see any UI that exposed it, so I'm not sure how to tell if I'm doing it right. How is one supposed to set up agent authentication?

-glyph

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Documentation forthcoming in Public key authentication using SSH agent.

@cyberduck
Copy link
Collaborator Author

13a0f88 commented

Thanks for adding the documentation!

That is indeed what I expected to happen; my keys are in my agent, my command-line 'ssh' connections work, I didn't enter a password, but Cyberduck still prompts me for a password or public key.

Do I need to create a bookmark first for this to work?

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Additional fixes in cbe92ef and 622f23b.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Replying to [comment:29 glyph lefkowitz]:

Thanks for adding the documentation!

That is indeed what I expected to happen; my keys are in my agent, my command-line 'ssh' connections work, I didn't enter a password, but Cyberduck still prompts me for a password or public key.

Please update to the latest snapshot build available.

@cyberduck
Copy link
Collaborator Author

13a0f88 commented

Replying to [comment:31 dkocher]:

Replying to [comment:29 glyph lefkowitz]:

Thanks for adding the documentation!

That is indeed what I expected to happen; my keys are in my agent, my command-line 'ssh' connections work, I didn't enter a password, but Cyberduck still prompts me for a password or public key.

Please update to the latest snapshot build available.

I tried updating to a snapshot build and it didn't help.

The problem appears to be with the case where the host is not initially known; in that case, if I accept and do not check "always", it doesn't check my authentication agent. For some reason even though I have set HashKnownHosts no in my SSH config (to play better with bash hostname completion), CyberDuck can only use hashed hostnames, so I was not accepting the host key persistently while I was looking for that setting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement fixed sftp SFTP Protocol Implementation
Projects
None yet
Development

No branches or pull requests

2 participants