Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support authentication with private key from SmartCard (PKCS11) #8401

Open
cyberduck opened this issue Dec 6, 2014 · 10 comments
Open

Support authentication with private key from SmartCard (PKCS11) #8401

cyberduck opened this issue Dec 6, 2014 · 10 comments
Assignees
Labels
enhancement low priority sftp SFTP Protocol Implementation

Comments

@cyberduck
Copy link
Collaborator

6959b9a created the issue

Hi,
it would be nice if CyberDuck could be able use the PKCS11Provider option
as it's already able to use the IdentityFile line of openssh config
this way it could manage SmartCard authentification

kind regards

@cyberduck
Copy link
Collaborator Author

@dkocher commented

It should be possible that you add the keys from the SmartCard to the OpenSSH agent using ssh-add.

@cyberduck
Copy link
Collaborator Author

6959b9a commented

Replying to [comment:1 dkocher]:

It should be possible that you add the keys from the SmartCard to the OpenSSH agent using ssh-add.

yes, but I don't want the private key to be stored in ssh-agent or cached

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Are the keys from the smart card accessible from Keychain Access.app?

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Replying to [comment:3 dkocher]:

Are the keys from the smart card accessible from Keychain Access.app?

Not sure if you will have to install the SmartCard Services.

@cyberduck
Copy link
Collaborator Author

6959b9a commented

As OpenSSH is expecting a PKCS11 "format" Card, I use the OpenSC library (opensc-pkcs11.so) for SSH command line authentification.
The SmartCard content doesn't appear in the KeyChain, if I'm not mistaken the SmartCard Services (TokenD) has been abandoned by Apple and now use PCSC
( wich doesn't seeam usable with OpenSSH)

@cyberduck
Copy link
Collaborator Author

@dkocher commented

On a side note we have updated our instructions to use Cyberduck with Google Authenticator (or other token based systems) which might be a suitable alternative.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

#9318 closed as duplicate.

@cyberduck
Copy link
Collaborator Author

f0de763 commented

Adding support for this ticket - some of us REALLY need a way to use PKCS devices with SFTP

@cyberduck
Copy link
Collaborator Author

1e00fd5 commented

A YubiKey should work well for this, if you're using OpenSSH.

@cyberduck
Copy link
Collaborator Author

2df493a commented

On MacOS 10.15 Catalina at least, I can use native ssh client with "PKCS11Provider /usr/lib/ssh-keychain.dylib" in the ~/.ssh/config file and Yubikey works for passwordless login. This is apparently supported since MacOS High Sierra. Cyberduck should also support this since it's build in to MacOS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement low priority sftp SFTP Protocol Implementation
Projects
None yet
Development

No branches or pull requests

2 participants