Public key authentication using SSH agent

[cyberduck]

anonymous created the issue

It would be a quite nice and useful enhancement if SSH public key authentification would
use a running SSH agent.

Pointer to OpenSSH code: authfd.c

---

Attachments

• ,ssh-agent.1.diff (176.4 KiB)

[cyberduck]

03c71ae commented

I second this, it seems natural to be able to SSH Agent to connect to SFTP, but Cyberduck can't do it (yet? =), is there a timeline for getting this feature working (is the 2.6 milestone realistic, and if it is is there a target date for the 2.6 release?)

Thanks

[cyberduck]

1580cdf commented

I'm new to Cyberduck, but this was the first option I searched... :)

If this is planned for a future version, great! It would be nice to work with some of the GUI ssh-agent interfaces like SSHKeychain for example.

It should be easy enough: SSHKeychain places the ssh-agent pipe in a specific place, easy to find.

Thanks,

[cyberduck]

kL commented

I'm actually having trouble with running shell ssh-agent and I like that CyberDuck allows me to choose the right key. I'd like old behavior kept, even if external agent is supported.

[cyberduck]

9e51f13 commented

i second that wish. it seems wasteful and potentially insecure having to save the credentials in the keychain when there is a ssh-agent running.

[cyberduck]

e764e3e commented

I second (third? fourth?) that wish. SSHKeychain is too useful to be ignored by cyberduck. (:

[cyberduck]

03c71ae commented

I'd like to clarify/stress the point that we're not even talking about support for a specific app (ie. SSHKeychain) .. but for the openssh key agent support, which is a much more open interface, and is the standard for holding onto ssh keys

[cyberduck]

e764e3e commented

Piotr: you're right, sorry for bringing a specific app into the discussion; it just happens to be what I use.

[cyberduck]

anonymous commented

I also agree that ssh-agent support, no matter what other apps may be involved to help manage it, is important. Fugu does this well but Cyberduck doesn't, and it feels like a race between it and Fetch to get there first.

[cyberduck]

anonymous commented

mod up

[cyberduck]

aad5ed5 commented

bump.

please! =]

[cyberduck]

e764e3e commented

I have code that integrates the sshtools.com agent code into cyberduck, adds unix domain socket via jbuds (see freshmeat.net) for local ssh agent connections, and defaults to trying the agent first.

So far, it's looking pretty good: trying to use the agent and falls back to asking for a passphrase if the agent fails.

The problem is that the sshtools.com agent code isn't working. The primary reason for this is that the sshtools.com agent code does not speak the openssh authentication protocol, which is used by many agents, instead speaking only ssh.com's agent protocol. After I discovered this, I gave up; but I believe the code can still be put to use by somebody who is willing to invest an afternoon or so, and implements the auth agent protocol correctly.

openssh's code is a good reference for that. I suggest starting with authfd.c and authfd.h. You'll have to rewrite a few of the java message classes, and several methods in SshAgentClient.java. I've started already by assigning the correct message number to SshAgentFailure (5 instead of 102) (-:

There are also a few UI things left to iron out: maybe include an "I want to use the agent" checkbox, and if the agent isn't unlocked, ask for the passphrase.

I'm attaching my diff against current svn (hope that this works for you, I'm a total xcode newbie). To whomever will finally implement this: You have my gratitude and respect.

[cyberduck]

03c71ae commented

Has anyone considered borrowing the ssh agent implementation from Fugu? it is open source and BSD licencened .. I'm sure they wouldn't mind sharing the ssh agent integration.

Just a thought

[cyberduck]

e764e3e commented

The reason for not using fugu's ssh agent code is that fugu is written in objective C and uses the openssh binary tools directly, and most of cyberduck is written in java, including its own ssh client in java (called j2ssh, from sshtools.com). That means you'd either have to dump & re-write the entire ssh/sftp backend (not so pleasant, IMHO), or try to come up with an ssh agent client in java that works with the existing j2ssh code.

[cyberduck]

03c71ae commented

Ah .. I see .. thanks for the clarification .. I sort of assumed CD would have been written in Objective C

[cyberduck]

0302cb0 commented

I think rewriting it in objective c while borrowing as much as possible from fugu is the best way to go. The current implementation is rather clunky ><. Fugu is a speed daemon compared to cyberduck when it comes to SSH/SFTP transfers.

Maybe we need a fundraising drive or something like wikipedia does. David and the other developers might be more receptive to changing things over to objective c, if the community could come up with a 20K.