Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Interoperability with gpg-agent (YubiKey) #10454

Closed
cyberduck opened this issue Sep 7, 2018 · 9 comments
Closed

Interoperability with gpg-agent (YubiKey) #10454

cyberduck opened this issue Sep 7, 2018 · 9 comments

Comments

@cyberduck
Copy link
Collaborator

@cyberduck cyberduck commented Sep 7, 2018

03b55c6 created the issue

Cyberduck is great, but I cannot use it anymore, since I switched to using a YubiKey to store my SSH private key.

The reason is simply the requirement to select a private key file when opening a connection.
Note: I can connect using SSH on the command-line, using ForkLift, SourceTree, … just fine. They all just use the identity agent I have configured…

Since this blocks me from using Cyberduck, I consider this a defect…

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Sep 11, 2018

@dkocher commented

From my understanding you configure YubiKey to be used as a one-time passcode with the SSH server. We have instructions on how this works with Google Authenticator but I assume this should work similar if configured using ChallengeResponseAuthentication in OpenSSH. Otherwise, please elaborate on the setup.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Sep 11, 2018

03b55c6 commented

No, I am not using the YubiKey as a 2FA token. I use it as a hardware token, it stores my RSA keys. My SSH is set up to talk to gpg-agent, which is running as gpg-agent --daemon --enable-ssh-support. The result is, that by now most tools that can use my native SSH setup work fine, with the help of IdentityAgent ~/.gnupg/S.gpg-agent.ssh in my ~/.ssh/config.

With "SSH Private Key" set to "None" for the connection, it asks me for a password… But when trying to enable the use of a private key, Cyberduck forces me to select a private key file–I don't have a file, though, the private key is hidden in my YubiKey.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Sep 11, 2018

@dkocher commented

We do not currently read IdentityAgent from OpenSSH configuration ~/.ssh/config. But if the SSH_AUTH_SOCK environment variable is pointing to the GPG agent socket it should work.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Sep 11, 2018

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Sep 12, 2018

03b55c6 commented

Indeed, with SSH_AUTH_SOCK set (which it was already for me) and Cyberduck being started from the command line (I didn't try that, it seems), it works as expected. That's at least something!

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Sep 14, 2018

@dkocher commented

     IdentityAgent
             Specifies the UNIX-domain socket used to communicate with the authentication agent.

             This option overrides the SSH_AUTH_SOCK environment variable and can be used to select a specific agent.  Setting the socket name to none disables the use of an authentication agent.  If the string
             "SSH_AUTH_SOCK" is specified, the location of the socket will be read from the SSH_AUTH_SOCK environment variable.


Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jul 25, 2019

@dkocher commented

It would be nice if we have a user friendly configuration option that does not require to open the application from the command line.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Sep 13, 2019

@dkocher commented

#10800 closed as duplicate.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Sep 13, 2019

96851d2 commented

For your information:

There is a solution to this bug, you can create a plist to make Cyberduck accept $AUTH_SSH_SOCK when opened from the dock.

Instructions are here: https://evilmartians.com/chronicles/stick-with-security-yubikey-ssh-gnupg-macos

Unfortunatly it only works up until 7.0.2, see #10800

Loading

@cyberduck cyberduck closed this Sep 20, 2019
@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants