Bill Burcham’s memeRocket

I recently switched from Fugu to Cyberduck. At the time I considered moving to Panic’s Transmit but didn’t see how to get SSH certificate-based authentication to work.

Well, a nice person at Transmit support answered my question. Interestingly, while perhaps a little non-obvious to the SSH-non-initiate, the solution is actually elegant — do nothing. That’s right, Transmit works directly with the ssh command-line infrastructure. This means if you’ve got your identities (keys and certificates) stored in the ~/.ssh directory you’re good to go. Further, if you’re using an SSH Agent (like SSHKeychain) you’ll never even be prompted for a passphrase by Transmit.
While I like Cyberduck a lot, the edge goes to Transmit — even at a cost of $29.95. Here goes:

1. Transmit is snappier. I haven’t measured file transfer speeds, but directory listing and navigation is definitely snappier than Fugu or Cyberduck. I spend a lot of time navigating around remote filesystems and I don’t move a lot of great big files so reponse time for listings is crucial.
2. Transmit can be configured to edit a file on double click. In Cyberduck you have to select the file and hit command-j to edit it — annoying. Of course in any case, the file must be downloaded — but it’s downloaded to some mystery location where you don’t have to worry about cleaning it up.
3. Transmit supports column view (browser view) just like Finder. Cyberduck does offer a contextual view but it’s more of a Windows-style-double-click-a-folder-to-expand-subfolders affair. Not that there’s anything wrong with that.

There are couple shortcomings worth mentioning too:

1. While Transmit offers tab support — innovative among the file transfer clients I’ve looked at — the workflow is a bit clumsy. If you have a configuration saved as a favorite there is no way to quickly and directly open it in a new tab. Instead you must go through four steps. How about an “open favorite in new tab” option in Preferences? Currently you must:
   1. open a new tab (command-t or via File menu)
   2. select the “favorites” tab within that new tab
   3. select the “Favorites” folder
   4. double-click the favorite you want

   On the upside — once you’ve done this once, Transmit remembers that you want the Location tab and the Favorites folder so the middle two steps drop out. Still, one step would be better than two steps.

2. When configuring a new connection for password authentication, Transmit won’t allow paste into password field — you have to type the password from the keyboard. I keep all my credentials in Keychain Access so it’s real easy to get ‘em on the clipboard. Minor one-time annoyance.

All in all I’m enjoying Transmit. It’s been reliable and comfortable. I’m off to pay my $29.95 now…

For those of you who like to keep your hands on the keyboard…

Control-tab will cycle to the next tab to the right (and wrap at the end).

Page-up and Page-down keys can be used to move to adjacent tabs in either direction (again, wrapping is in effect). Control-page-up (control-fn-page-up on laptop keyboards) moves left. Control-page-down (control-fn-page-down) moves right.

One of the things I really like about OS X is the Keychain Access application. Most Mac applications (but not Firefox) that deal with passwords or certificates enlist Keychain Access services. The upshot is that you don’t need to manage a password file yourself, and you don’t need a third-party secure credential management application.

Unless you use ssh on the command line a lot.

Unfortunately, on OS X, the ssh command line tools are not integrated with Keychain Access. This is unfortunate for a couple reasons. First, it means that you have the choice (with the ssh command line tools) to either passphrase protect each key or not. If you decide not to then you expose that key to attack (if someone gets access to your disk).

Now if you do decide to passphrase-protect an ssh key a dilemma arises. You will be prompted for that passphrase each time the key is required for an ssh operation. Every time you ssh to a remote machine, or run scp or sftp, you’ll be prompted. And if you use Subversion over ssh you’ll be prompted (for a passphrase) for each of your remote subversion commands. Ugh.

Until Apple adds direct integration between the ssh command line tools and Keychain Access we have to make due with one of the “ssh agents”. There is a command-line one that ships with OS-X called ssh-agent if you like that sort of thing. I was hoping for a mouse-driven one and went on a little expedition.

The first one I looked at, SSH Agent, is a nice enough Cocoa app but it’s got a fatal flaw. The whole point of this thing is to enable me to avoid entering passphrases. To do that, the app needs to access a passphrase stored in Keychain Access. Well SSH Agent looks like it intends to support that — but unfortunately, the “add to keychain” control is disabled. As a result you have to go to Keychain Access and manually get your passphrase and then paste it into SSH Agent each time you you want to activate an ssh key.

The second Cocoa app I looked at, SSHKeychain fared better in this regard. It integrates nicely with Keychain Access. The interface is a bit quirky but if you follow the directions you should be up in no time. Note that with each of the ssh agents I tested, there were situations where I had to log out (of OS X) and back in to get the ssh command line tools to notice the agent.

Any chance of integrated SSH key management making it into Keychain Access in time for Leopard?