Resolve #13935.

iterate-ch · Dec 6, 2022 · c5a5b0e · c5a5b0e
1 parent b13aeab
commit c5a5b0e
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 29 deletions.
diff --git a/ssh/src/main/java/ch/cyberduck/core/sftp/SFTPSession.java b/ssh/src/main/java/ch/cyberduck/core/sftp/SFTPSession.java
@@ -25,7 +25,6 @@
 import ch.cyberduck.core.exception.ConnectionCanceledException;
 import ch.cyberduck.core.exception.ConnectionRefusedException;
 import ch.cyberduck.core.exception.InteroperabilityException;
-import ch.cyberduck.core.exception.LocalAccessDeniedException;
 import ch.cyberduck.core.exception.LoginCanceledException;
 import ch.cyberduck.core.exception.LoginFailureException;
 import ch.cyberduck.core.features.*;
@@ -41,7 +40,6 @@
 import ch.cyberduck.core.sftp.openssh.OpenSSHAgentAuthenticator;
 import ch.cyberduck.core.sftp.openssh.OpenSSHCredentialsConfigurator;
 import ch.cyberduck.core.sftp.openssh.OpenSSHHostnameConfigurator;
-import ch.cyberduck.core.sftp.openssh.OpenSSHIdentitiesOnlyConfigurator;
 import ch.cyberduck.core.sftp.openssh.OpenSSHIdentityAgentConfigurator;
 import ch.cyberduck.core.sftp.openssh.OpenSSHJumpHostConfigurator;
 import ch.cyberduck.core.sftp.openssh.OpenSSHPreferredAuthenticationsConfigurator;
@@ -277,30 +275,25 @@ private void authenticate(final SSHClient client, final Host host, final LoginCa
         // Ordered list of preferred authentication methods
         final List<AuthenticationProvider<Boolean>> defaultMethods = new ArrayList<>();
         if(preferences.getBoolean("ssh.authentication.agent.enable")) {
-            if(new OpenSSHIdentitiesOnlyConfigurator().isIdentitiesOnly(host.getHostname())) {
-                log.warn("Skip reading keys from SSH agent with IdentitiesOnly configuration");
-            }
-            else {
-                switch(Factory.Platform.getDefault()) {
-                    case windows:
-                        defaultMethods.add(new SFTPAgentAuthentication(client, new PageantAuthenticator()));
-                        try {
-                            defaultMethods.add(new SFTPAgentAuthentication(client, new WindowsOpenSSHAgentAuthenticator()));
-                        }
-                        catch(AgentProxyException e) {
-                            log.warn(String.format("Agent proxy failed with %s", e));
-                        }
-                        break;
-                    default:
-                        try {
-                            defaultMethods.add(new SFTPAgentAuthentication(client, new OpenSSHAgentAuthenticator(
-                                    new OpenSSHIdentityAgentConfigurator().getIdentityAgent(host.getHostname()))));
-                        }
-                        catch(AgentProxyException e) {
-                            log.warn(String.format("Agent proxy failed with %s", e));
-                        }
-                        break;
-                }
+            switch(Factory.Platform.getDefault()) {
+                case windows:
+                    defaultMethods.add(new SFTPAgentAuthentication(client, new PageantAuthenticator()));
+                    try {
+                        defaultMethods.add(new SFTPAgentAuthentication(client, new WindowsOpenSSHAgentAuthenticator()));
+                    }
+                    catch(AgentProxyException e) {
+                        log.warn(String.format("Agent proxy failed with %s", e));
+                    }
+                    break;
+                default:
+                    try {
+                        defaultMethods.add(new SFTPAgentAuthentication(client, new OpenSSHAgentAuthenticator(
+                                new OpenSSHIdentityAgentConfigurator().getIdentityAgent(host.getHostname()))));
+                    }
+                    catch(AgentProxyException e) {
+                        log.warn(String.format("Agent proxy failed with %s", e));
+                    }
+                    break;
             }
         }
         defaultMethods.add(new SFTPPublicKeyAuthentication(client));

diff --git a/ssh/src/main/java/ch/cyberduck/core/sftp/auth/SFTPAgentAuthentication.java b/ssh/src/main/java/ch/cyberduck/core/sftp/auth/SFTPAgentAuthentication.java
@@ -23,11 +23,16 @@
 import ch.cyberduck.core.LoginCallback;
 import ch.cyberduck.core.exception.BackgroundException;
 import ch.cyberduck.core.sftp.SFTPExceptionMappingService;
+import ch.cyberduck.core.sftp.openssh.OpenSSHCredentialsConfigurator;
+import ch.cyberduck.core.sftp.openssh.OpenSSHIdentitiesOnlyConfigurator;
 import ch.cyberduck.core.threading.CancelCallback;
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
 import java.util.Collection;
 import java.util.Collections;
@@ -36,6 +41,7 @@
 import com.jcraft.jsch.agentproxy.sshj.AuthAgent;
 import net.schmizz.sshj.SSHClient;
 import net.schmizz.sshj.common.Buffer;
+import net.schmizz.sshj.common.IOUtils;
 import net.schmizz.sshj.transport.TransportException;
 import net.schmizz.sshj.userauth.UserAuthException;
 
@@ -51,12 +57,37 @@ public SFTPAgentAuthentication(final SSHClient client, final AgentAuthenticator
     }
 
     @Override
-    public Boolean authenticate(final Host bookmark, final LoginCallback prompt, final CancelCallback cancel)
-            throws BackgroundException {
+    public Boolean authenticate(final Host bookmark, final LoginCallback prompt, final CancelCallback cancel) throws BackgroundException {
         if(log.isDebugEnabled()) {
             log.debug(String.format("Login using agent %s for %s", agent, bookmark));
         }
-        for(Identity identity : this.filter(bookmark.getCredentials(), agent.getIdentities())) {
+        final Collection<Identity> identities;
+        if(new OpenSSHIdentitiesOnlyConfigurator().isIdentitiesOnly(bookmark.getHostname())) {
+            final Credentials configuration = new OpenSSHCredentialsConfigurator().configure(bookmark);
+            if(configuration.isPublicKeyAuthentication()) {
+                try {
+                    final Local identity = configuration.getIdentity();
+                    if(log.isWarnEnabled()) {
+                        log.warn(String.format("Only read specific key %s from SSH agent with IdentitiesOnly configuration", identity));
+                    }
+                    final InputStream in = identity.getInputStream();
+                    final ByteArrayOutputStream out = IOUtils.readFully(in);
+                    final byte[] blob = out.toByteArray();
+                    identities = Collections.singletonList(new Identity(blob, blob));
+                }
+                catch(IOException e) {
+                    throw new DefaultIOExceptionMappingService().map(e);
+                }
+            }
+            else {
+                log.warn(String.format("Missing IdentityFile configuration for %s", bookmark));
+                identities = Collections.emptyList();
+            }
+        }
+        else {
+            identities = this.filter(bookmark.getCredentials(), agent.getIdentities());
+        }
+        for(Identity identity : identities) {
             try {
                 client.auth(bookmark.getCredentials().getUsername(), new AuthAgent(agent.getProxy(), identity));
                 // Successfully authenticated