Cyberduck Mountain Duck CLI

#8401 new enhancement

Support authentication with private key from SmartCard (PKCS11)

Reported by: manust Owned by: dkocher
Priority: low Milestone:
Component: sftp Version: 4.6
Severity: normal Keywords: smartcard
Cc: jph@… Architecture: Intel
Platform: Mac OS X 10.10

Description

Hi, it would be nice if CyberDuck could be able use the PKCS11Provider option

as it's already able to use the IdentityFile line of openssh config

this way it could manage SmartCard authentification

kind regards

Change History (11)

comment:1 Changed on Dec 6, 2014 at 2:04:13 PM by dkocher

It should be possible that you add the keys from the SmartCard to the OpenSSH agent using ssh-add.

comment:2 Changed on Dec 6, 2014 at 2:28:48 PM by manust

Replying to dkocher:

It should be possible that you add the keys from the SmartCard to the OpenSSH agent using ssh-add.

yes, but I don't want the private key to be stored in ssh-agent or cached

Last edited on Dec 8, 2014 at 2:31:38 PM by dkocher (previous) (diff)

comment:3 follow-up: Changed on Dec 8, 2014 at 2:33:30 PM by dkocher

  • Platform set to Mac OS X 10.10

Are the keys from the smart card accessible from Keychain Access.app?

comment:4 in reply to: ↑ 3 Changed on Dec 8, 2014 at 2:35:50 PM by dkocher

Replying to dkocher:

Are the keys from the smart card accessible from Keychain Access.app?

Not sure if you will have to install the SmartCard Services.

comment:5 Changed on Dec 8, 2014 at 2:37:23 PM by dkocher

  • Summary changed from SmartCard authentification to Support authentication with private key from SmartCard (PKCS11)

comment:6 Changed on Dec 8, 2014 at 5:59:15 PM by manust

As OpenSSH is expecting a PKCS#11 "format" Card, I use the OpenSC library (opensc-pkcs11.so) for SSH command line authentification. The SmartCard content doesn't appear in the KeyChain, if I'm not mistaken the SmartCard Services (TokenD) has been abandoned by Apple and now use PCSC ( wich doesn't seeam usable with OpenSSH)

comment:7 Changed on Dec 10, 2014 at 2:23:53 PM by dkocher

On a side note we have updated our instructions to use Cyberduck with Google Authenticator (or other token based systems) which might be a suitable alternative.

comment:8 Changed on Dec 10, 2014 at 2:24:14 PM by dkocher

  • Milestone 4.7 deleted

comment:9 Changed on Feb 29, 2016 at 5:05:44 PM by dkocher

#9318 closed as duplicate.

comment:10 Changed on Mar 1, 2016 at 12:41:02 AM by noah977

Adding support for this ticket - some of us REALLY need a way to use PKCS devices with SFTP

comment:11 Changed on Apr 5, 2017 at 6:13:09 PM by jph@…

  • Cc jph@… added

A YubiKey should work well for this, if you're using OpenSSH.

Note: See TracTickets for help on using tickets.
swiss made software