SecurID

[cyberduck]

8c1c6c1 created the issue

Hi,
Would it be possible to support access to servers that need an authentification key/passcode that is generated by a dongle? I am using an RSA SecurID generator.
Thanks!

[cyberduck]

anonymous commented

I'm looking for this feature as well. WinSCP supports this but is not available for OSX. I have yet to find a solution.

[cyberduck]

@ylangisc commented

Challenge-Response authentication schemes like SecurID should already be supported. Due to the lack of a SecurID infrastructure this feature is completely untested though. While authenticating I would expect a login popup where you can enter the current SecurID code.

In order to properly implement this feature we are dependent on your help. Could you please try to connect to a SecureID enabled server and let me know what happened.

[cyberduck]

8c1c6c1 commented

I enter my username and password, but no login popup for the SecurID code occurs. Unfortunately, I have no clue on where the problem is located.

[cyberduck]

@dkocher commented

Replying to [comment:3 fmueller@…]:

I enter my username and password, but no login popup for the SecurID code occurs. Unfortunately, I have no clue on where the problem is located.
This sounds like we would need to support authentication with username and password followed by the keyboard-interactive authentication for the SecurID. Such a scenario is not currently supported as the authentication schemes are implemented mutually exclusive. It is however possible to ask for remaining authentication methods and if the authentication is complete for a SSH session which is what we should do.

[cyberduck]

@ylangisc commented

How is the password like you are entering? Normally SecurID-based authentication requires you to enter the so-called passcode (=PIN + Tokencode (concatenate both)). Please try to enter this passcode into the password field. In a SSH environment the authentication process might be different though but it's worth a try.

[cyberduck]

8c1c6c1 commented

usually, if I log in via ssh on a shell I connect with:
ssh USERNAME@SERVER
Then I am asked for my passWORD (some character-number-string) which I enter. Subsequently I am asked for the passCODE (which is a generated 6 digit number). The expected behavior of Cyberduck would be that I enter my username and password and subsequently a window pops up where I enter my passCODE.
I tried entering either the password or passcode or concatenate the two in the authentication window of cyberduck but none of these options worked

[cyberduck]

@dkocher commented

Proposed fix in 4f87653. Please test with the nightly build to be made available shortly.

[cyberduck]

@ylangisc commented

Nightly build is ready.

[cyberduck]

anonymous commented

I tried the nightly builds 5961 and 5692. Still no popup-window.

[cyberduck]

@dkocher commented

Replying to [comment:9 anonymous]:

I tried the nightly builds 5961 and 5692. Still no popup-window.
Is that server publicly reachable to let us debug the issue?

[cyberduck]

anonymous commented

well the server is called odyssey.fas.harvard.edu.
I cannot give out a username or password of course, but if you try to login as any user it should ask you for a password and later for a token/passcode, too. You just cannot get onto the server.

[cyberduck]

@dkocher commented

Replying to [comment:11 anonymous]:

well the server is called odyssey.fas.harvard.edu.
I cannot give out a username or password of course, but if you try to login as any user it should ask you for a password and later for a token/passcode, too. You just cannot get onto the server.

I don't get a partial authentication success with arbitrary credentials, so this does not help with testing. I have made another change in c8e8547 which might make it work, tough.

[cyberduck]

@ylangisc commented

A new nightly build with c8e8547 is ready.

[cyberduck]

@ylangisc commented

Client-side command line transcript:

...
debug1: Authentications that can continue: password,keyboard-interactive
debug3: start over, passed a different list password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password: 
debug3: packet_send2: adding 32 (len 17 padlen 15 extra_pad 64)
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Enter PASSCODE:
debug3: packet_send2: adding 32 (len 15 padlen 17 extra_pad 64)
debug1: Authentications that can continue: password,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password: 
...

[cyberduck]

8c1c6c1 commented

Nightly Build 5970 does not fix the problem for me. are the changes you just posted already implemented in this version?