Cyberduck Mountain Duck CLI

Version 79 (modified by dkocher, on Oct 19, 2020 at 12:21:04 PM) (diff)


Cyberduck Help / Howto / SFTP

SFTP connections

If you have access to a server using a secure shell (SSH2), most probably sftp-server is also installed and configured and you can connect using SFTP.

OpenSSH Configuration Interoperability

Public Key Fingerprints

Public key fingerprints are checked against and written to ~/ssh/known_hosts when accepted. This does not apply to the Mac App Store version which does store key fingerprints in the preferences.

Configuration File

The following configuration options from ~/.ssh/config are supported for SFTP connections:

  • IdentityFile for public key authentication.
  • HostName aliases.
  • User preference for login credentials.
  • ProxyJump to connect via SSH tunnel through bastion server. Version 8 or later required.

A bookmark will update its public key authentication setting from the IdentityFile configuration in ~/.ssh/config. Also when opening a new connection using File → Open Connection…, IdentityFile and User parameters in the OpenSSH user config file are auto completed.

Example ~/.ssh/config configuration:

Host myhostname
	User myusername
	IdentityFile ~/.ssh/mykey-rsa

To use the same key for all hosts add a wildcard entry such as

Host *
	IdentityFile ~/.ssh/mykey-rsa

which is then used when configuring a new bookmark.

Default Public Key Authentication Keys

You can enable the use of a default set of keys ~/.ssh/id_rsa and ~/.ssh/id_dsa (in this order) by setting the hidden configuration option ssh.authentication.publickey.default.enable to true.

defaults write ch.sudo.cyberduck ssh.authentication.publickey.default.enable true

Public Key Authentication

Public-key authentication allows you to connect to a remote server without sending your password over the Internet. Public-key authentication uses two keys, a private key that only you have--it should be kept in a secure place and protected with a password. And the public key, which is placed on the server you wish to gain access to, usually by the system administrator when your account is set up. Private keys containing a DSA or RSA private key in PEM format are supported (look for -----BEGIN DSA PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY----- in the file) and can be configured in the Bookmark or Connection panel.

PuTTY Key Format Interoperability

PuTTY private keys (.ppk) are supported for rsa key types. ed25519 is not supported.

OpenSSH Key Format Interoperability

OpenSSH private keys of type rsa, dsa, ecdsa and ed25519 (in OpenSSLPEM format) are supported. The new OpenSSH format (openssh-key-v1) is only supported for ecdsa and ed25519.

Configure public key authentication

  1. Run the command ssh-keygen from the to generate a public/private pair of keys. They will be put in your directory ~/.ssh, though you will probably be asked to approve or change this location. When you generate the keys you will be asked for a 'passphrase'. If you use a passphrase then you will have to enter it each time you use the keys for authentication. That is, you will have to type in the pass phrase everytime you log in, just as you would with a password. If you don't enter a passphrase (just press the return key) then you will be allowed to log-in without having to enter a passphrase. This can be more convenient, but it is less secure.
ssh-keygen -m PEM -t rsa
  1. Copy the public key to the remote host you wish to access and add it to the file authorized_keys in your ~/.ssh directory. (If that file does not exist then you should create it.) Anybody listed in the authorized_keys file (via their public key) is allowed to log-in, provided that they can prove that they possess the corresponding private key. Thus if you have the private key in your .ssh directory on your home machine you'll be allowed in.
ssh hostname < ~/.ssh/ 'cat >> .ssh/authorized_keys'
  1. In the Connection Dialog or the Bookmark editor in Cyberduck select Use Public Key Authentication and select the private key in your .ssh directory.

Public key authentication using SSH agent


There is support for OpenSSH ssh-agent. The agent ssh-agent is running by default on OS X. You add private key identities to the authentication agent using the program ssh-add. When connecting to a SSH server, Cyberduck will lookup matching private keys from the SSH agent when attempting to authenticate with the server if no password is available and no explicit private key to use is configured in the bookmark.


There is support for Pageant on Windows.

One-time passcodes

Using a challenge-response authentication with one time password generators like SecurID is supported. After the initial login prompt for the username and password a second login prompt is displayed to enter the one-time passcode.

Google Authenticator

A setup with a two-step verification such as Google Authenticator is supported.

Use the following configuration steps

  • Install libpam-google-authenticator on the server.
  • Run google-authenticator to create a new account and scan the 2D barcode using the Authentiator application on your phone. Refer to Install Google Authenticator.
  • Make it required for SSH logins by running echo 'auth required' >> /etc/pam.d/sshd.
  • Add ChallengeResponseAuthentication yes to /etc/ssh/sshd_config with echo 'ChallengeResponseAuthentication yes' >> /etc/ssh/sshd_config.

When logging in, enter the time based token requested after providing username and password.

Verifying host keys

Upon connecting to a SSH server for the first time, you will see a message to verify the host key uniquely identifying the server. You can ask your provider for the public fingerprint of the server to make sure you are connecting to the right host. Subsequent connections to the SSH server will make sure that the host key does not have changed to prevent spoofing attacks.

Connect via SSH tunnel through bastion server

Version 8 or later required Using the ProxyJump configuration directive in ~/.ssh/config you can connect through a tunnel. Sample configuration

Host internal
    HostName server.lan
    User user-internal

You can also work with aliases like

Host bastion-host-nickname
    HostName bastion-hostname
    User username
    Port 2222

Host remote-host-nickname
    HostName remote-hostname
    ProxyJump bastion-host-nickname

Open in Terminal

Open in Terminal allows you to open a SSH shell for the current working directoy with a single click.

Mac (

Use View → Customize Toolbar... to add the toolbar icon to your browser.

  • Customize SSH command

You can change the SSH command using the hidden configuration option

defaults write ch.sudo.cyberduck terminal.command.ssh \"ssh\ -t\ {0}\ {1}@{2}\ -p\ {3}\ \\\"cd\ {4}\ \&\&\ exec\ \\\\\$SHELL\\\"\"


  • {0} is -i <path to the private key>
  • {1} is the username from the login credentials
  • {2} is the hostname
  • {3} is the port number of the remote host
  • {4} is the current working directory in the browser

Because of all the escaping of characters, it might be easier to edit the key using Property List Editor if you have the developer tools installed. You can then set the string for the key terminal.command.ssh to ssh -t {0} {1}@{2} -p {3} "cd {4} && exec \$SHELL". Test the string in first if it is valid.

Using iTerm2

Version 7.4 and later

No configuration change is required. Choose iTerm2 → Make iTerm2 Default Term and restart Cyberduck. To revert, set the default application for a file named {{.command}} to in Finder → Info → Open With….

Previous versions

You can change a hidden configuration option to use a thirdparty terminal application instead of

  • Example for iTerm2 Version 2
    defaults write ch.sudo.cyberduck terminal.bundle.identifier com.googlecode.iterm2
    defaults write ch.sudo.cyberduck terminal.command \"set\ t\ to\ \(make\ new\ terminal\)\\ntell\ t\\nset\ s\ to\ \(launch\ session\ \\\"Default\ Session\\\"\)\\ntell\ s\\nwrite\ text\ \\\"{0}\\\"\\nend\ tell\\nend\ tell\"
  • Example for iTerm2 Version 3
    defaults write ch.sudo.cyberduck terminal.bundle.identifier com.googlecode.iterm2
    defaults write ch.sudo.cyberduck terminal.command \"set\ t\ to\ \(create\ window\ with\ default\ profile\)\\ntell\ t\\nset\ s\ to\ \(current\ session\)\\ntell\ s\\nwrite\ text\ \\\"{0}\\\"\\nend\ tell\\nend\ tell\"

To reset to the default settings use:

defaults delete ch.sudo.cyberduck terminal.bundle.identifier
defaults delete ch.sudo.cyberduck terminal.command

Windows disable WSL

There is a hidden configuration option for toggling additional SSH-terminal applications. Currently implemented are ssh.exe (OpenSSH built-in to Windows 10 since 1709), bash.exe (using WSL and invoking ssh there) as well as PuTTY.

  • Disabling OpenSSH: terminal.openssh.enable=false
  • Disabling WSL: terminal.windowssubsystemlinux.enable=false

Windows (PuTTY.exe)

Use View → Customize Toolbar... to add the Open in Putty toolbar icon to your browser.

  • Location of the PuTTY installation

By default, the executable putty.exe must be located in your user home folder. You can change the install location by editing the hidden configuration option terminal.command.ssh to point to the path of the executable.

Distribution (CDN)

You can enable custom origin Amazon CloudFront (Content Delivery Network) distribution using File → Info → Distribution (CDN).

Create and expand ZIP/TAR Archives

The remote systems must have the archiving tools tar or zip installed respectively. Use View → Customize Toolbar... to add the Archive toolbar button to your browser window. It is not included in the default toolbar configuration.


Select one or more files to archive in the browser. For multiple files, a file with the name Archive with the given extension of the archive format will be created.


Select one or more files to expand in the current working directory.

Remote Commands

See the Custom Command page to send custom commands over SSH.

Default protocol handler

You can set Cyberduck or a third party application as the default application (protocol handler) for SFTP in Preferences → SFTP. When you click URLs in another application like your web browser, this application is opened to open the URL instead.


Illegal sftp packet len. Invalid packet: indicated length 1114795883 too large

The error message Invalid packet: indicated length 1114795883 too large may indicate you have either:

  • An echo statement in your shell init script like .bashrc. Make sure it does not output any text.
  • Interoperability issue with Globalscape EFT Server. Issue #5308.
  • Possibly the server is printing a message similar to Please login as the ubuntu user rather than root user. Please verify the username for your connection.
  • Enable SSH access on your server. Use the sftp command in a terminal to verify sftp username@domain_name. It'll ask for your password. If you don't have SSH access, you'll get "Received message too long", hence the error message.

Kex Timeout

This error can occur if you are connecting the first time to a device with a slow processor. You can raise the tmeout value in Preferences → Connection → Timeout .

Connect does not work

Cyberduck refuses to connect if there are malformed entries in your known_hosts file located under ~/.ssh. Renaming this file and recreating it usually resolves this. An alternative requires manually editing the known_hosts file removing all malformed entries. Please refer to sshd(8) for valid format.


Serv-U MFT

Serv-U MFT does not fully implement SFTPv3. Files cannot be created, renamed, uploaded as a required flag is not implemented and results in error messages.

Supported Algorithms


aes{128,192,256}-{cbc,ctr}, blowfish-{cbc,ctr}, 3des-{cbc,ctr}, twofish{128,192,256}-{cbc,ctr}, twofish-cbc, serpent{128,192,256}-{cbc,ctr}, idea-{cbc,ctr}, cast128-{cbc,ctr}, arcfour, arcfour{128,256}, aes{128,256}

Key Exchange

diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group14-sha256, diffie-hellman-group15-sha512, diffie-hellman-group16-sha512, diffie-hellman-group17-sha512, diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521,


ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519


Compression with zlib and is supported.

Private Key Files

pkcs5, pkcs8, openssh-key-v1,,

Attachments (7)

Download all attachments as: .zip