iterate-ch · dkocher · Jun 17, 2024 · May 16, 2024 · May 16, 2024 · May 21, 2024
diff --git a/.gitignore b/.gitignore
@@ -1 +1,5 @@
-_build/
+_build/
+bin
+lib
+lib64
+pyvenv.cfg
diff --git a/protocols/sftp/index.md b/protocols/sftp/index.md
@@ -96,7 +96,21 @@ PuTTY private keys (`.ppk`) are supported for `rsa` key types. `ed25519` is not
 
 #### OpenSSH Key Format Interoperability
 
-OpenSSH private keys of type `rsa`, `dsa`, `ecdsa` and `ed25519` (in OpenSSL`PEM` format) are supported. The new OpenSSH format (`openssh-key-v1`) is only supported for `ecdsa` and `ed25519`.
+OpenSSH private keys of type `rsa`, `dsa`, `ecdsa` and `ed25519` (in OpenSSL `PEM` format) are supported. The new OpenSSH format (`openssh-key-v1`) is only supported for `ecdsa` and `ed25519`.
+
+#### OpenSSH User Certificate Authentication
+
+:::{important}
+* Cyberduck [8.9.0](https://cyberduck.io/changelog/) or later required
+* Mountain Duck [4.16.0](https://mountainduck.io/changelog/) or later required
+
+Applies to SSH servers, which are configured with `TrustedUserCAKeys`, refer to your software vendor for configuration.
+:::
+
+Authentication using User CA signed private keys is supported, as long as both files (the private key, and the certificate file) are present at the same location.
+The certificate file has to be suffixed by either "-cert.pub" or ".pub" to be eligible for authentication. The OpenSSH configuration directive `CertificateFile` is not used.
+
+Pay attention to the server configuration and `PubkeyAcceptedAlgorithms`, which private key algorithms are allowed
 
 #### Configure Public Key Authentication
 
@@ -110,11 +124,6 @@ OpenSSH private keys of type `rsa`, `dsa`, `ecdsa` and `ed25519` (in OpenSSL`PEM
 	```
 3. In the Connection Dialog or the Bookmark editor in Cyberduck select *Use Public Key Authentication* and select the private key in your `.ssh` directory.
 
-
-#### CA signed SSH Certificate Interoperability
-
-*Certification Authority (CA)* sigend SSH certificates are supported for keys of type  `rsa`, `dsa`, `ecdsa`, and `ed25519`.
-
 #### Public Key Authentication Using SSH Agent
 When connecting to a SSH server, Cyberduck will lookup matching private keys from the SSH agent when attempting to authenticate with the server if no password is available and no explicit private key to use is configured in the bookmark.
 
@@ -331,15 +340,23 @@ You can set Cyberduck or a third-party application as the default application (p
 
 ### Signatures
 
-`ssh-rsa`, `ssh-dss`, `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, `ecdsa-sha2-nistp521`, `ssh-ed25519`
+`ssh-rsa`, `ssh-dss`, `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, `ecdsa-sha2-nistp521`, `ssh-ed25519`, `rsa-sha2-256`, `rsa-sha2-512`
+
+With Cyberduck 8.9 and Mountain Duck 4.16, support for
+- `[email protected]`
+- `[email protected]`
+- `[email protected]`
+- `[email protected]`
+- `[email protected]`
+- `[email protected]`
 
 ### Compression
 
 Compression with `zlib` and `[email protected]` is supported.
 
 ### Private Key Files
 
-`pkcs5`, `pkcs8`, `openssh-key-v1`, `[email protected]`, `[email protected]`
+`pkcs5`, `pkcs8`, `openssh-key-v1`
 
 ## Incompatibilities