Public key authentication using SSH agent #12024
Comments
I second this, it seems natural to be able to SSH Agent to connect to SFTP, but Cyberduck can't do it (yet? =), is there a timeline for getting this feature working (is the 2.6 milestone realistic, and if it is is there a target date for the 2.6 release?) Thanks |
I'm new to Cyberduck, but this was the first option I searched... :) If this is planned for a future version, great! It would be nice to work with some of the GUI ssh-agent interfaces like SSHKeychain for example. It should be easy enough: SSHKeychain places the ssh-agent pipe in a specific place, easy to find. Thanks, |
I'm actually having trouble with running shell ssh-agent and I like that CyberDuck allows me to choose the right key. I'd like old behavior kept, even if external agent is supported. |
i second that wish. it seems wasteful and potentially insecure having to save the credentials in the keychain when there is a ssh-agent running. |
I second (third? fourth?) that wish. SSHKeychain is too useful to be ignored by cyberduck. (: |
I'd like to clarify/stress the point that we're not even talking about support for a specific app (ie. SSHKeychain) .. but for the openssh key agent support, which is a much more open interface, and is the standard for holding onto ssh keys |
Piotr: you're right, sorry for bringing a specific app into the discussion; it just happens to be what I use. |
I also agree that ssh-agent support, no matter what other apps may be involved to help manage it, is important. Fugu does this well but Cyberduck doesn't, and it feels like a race between it and Fetch to get there first. |
mod up |
bump. please! =] |
I have code that integrates the sshtools.com agent code into cyberduck, adds unix domain socket via jbuds (see freshmeat.net) for local ssh agent connections, and defaults to trying the agent first. So far, it's looking pretty good: trying to use the agent and falls back to asking for a passphrase if the agent fails. The problem is that the sshtools.com agent code isn't working. The primary reason for this is that the sshtools.com agent code does not speak the openssh authentication protocol, which is used by many agents, instead speaking only ssh.com's agent protocol. After I discovered this, I gave up; but I believe the code can still be put to use by somebody who is willing to invest an afternoon or so, and implements the auth agent protocol correctly. openssh's code is a good reference for that. I suggest starting with authfd.c and authfd.h. You'll have to rewrite a few of the java message classes, and several methods in SshAgentClient.java. I've started already by assigning the correct message number to SshAgentFailure (5 instead of 102) (-: There are also a few UI things left to iron out: maybe include an "I want to use the agent" checkbox, and if the agent isn't unlocked, ask for the passphrase. I'm attaching my diff against current svn (hope that this works for you, I'm a total xcode newbie). To whomever will finally implement this: You have my gratitude and respect. |
Has anyone considered borrowing the ssh agent implementation from Fugu? it is open source and BSD licencened .. I'm sure they wouldn't mind sharing the ssh agent integration. Just a thought |
The reason for not using fugu's ssh agent code is that fugu is written in objective C and uses the openssh binary tools directly, and most of cyberduck is written in java, including its own ssh client in java (called j2ssh, from sshtools.com). That means you'd either have to dump & re-write the entire ssh/sftp backend (not so pleasant, IMHO), or try to come up with an ssh agent client in java that works with the existing j2ssh code. |
Ah .. I see .. thanks for the clarification .. I sort of assumed CD would have been written in Objective C |
I think rewriting it in objective c while borrowing as much as possible from fugu is the best way to go. The current implementation is rather clunky ><. Fugu is a speed daemon compared to cyberduck when it comes to SSH/SFTP transfers. Maybe we need a fundraising drive or something like wikipedia does. David and the other developers might be more receptive to changing things over to objective c, if the community could come up with a 20K. |
Hi there cyberduck, I just tried to use this feature on version 4.5.2 (website download, not MAS release). It didn't work, but I didn't see any UI that exposed it, so I'm not sure how to tell if I'm doing it right. How is one supposed to set up agent authentication? -glyph |
Documentation forthcoming in Public key authentication using SSH agent. |
Thanks for adding the documentation! That is indeed what I expected to happen; my keys are in my agent, my command-line 'ssh' connections work, I didn't enter a password, but Cyberduck still prompts me for a password or public key. Do I need to create a bookmark first for this to work? |
Replying to [comment:29 glyph lefkowitz]:
Please update to the latest snapshot build available. |
Replying to [comment:31 dkocher]:
I tried updating to a snapshot build and it didn't help. The problem appears to be with the case where the host is not initially known; in that case, if I accept and do not check "always", it doesn't check my authentication agent. For some reason even though I have set HashKnownHosts no in my SSH config (to play better with bash hostname completion), CyberDuck can only use hashed hostnames, so I was not accepting the host key persistently while I was looking for that setting. |
It would be a quite nice and useful enhancement if SSH public key authentification would
use a running SSH agent.
Pointer to OpenSSH code: authfd.c
Attachments
,ssh-agent.1.diff(176.4 KiB)The text was updated successfully, but these errors were encountered: