SSH Authentication Methods

Introduction

The SSH protocol supports a variety of authentication mechanisms. This article will discuss the various authenticating methods in which a user can use to connect to an SFTP server using .NET Ultimate SFTP Library. There are 5 authentication methods as shown below.

Authenticate with a password

This is the simplest form of authentication using the traditional username/password method. The username and password to be used for authentication should be specified while calling the Authenticate () method. This authentication method is simple. This authentication method should not be confused with Keyboard Authentication. Note that some SFTP servers may be configured to disallow password authentication by default, which will result in the connection attempt to fail.

using System;
using ComponentPro.Net;

...

public void DoConnect()
{
    // Create a new class instance.
    Sftp client = new Sftp();

    client.HostKeyVerifying += HostKeyVerifying;

    // Connect to the SFTP server.
    client.Connect("myserver");

    // Or you can specify the SFTP port with
    // client.Connect("myserver", 22);

    // Authenticate.
    client.Authenticate("userName", "password");

    // Do something here...
    client.DownloadFile("/my remote file.dat", "my local file");

    // Disconnect.
    client.Disconnect();
}

void HostKeyVerifying(object sender, HostKeyVerifyingEventArgs e)
{
    Console.WriteLine("Host key: " + e.HostKey);
}
Imports ComponentPro.Net

...

Public Sub DoConnect()
    ' Create a new class instance.
    Dim client As New Sftp()

    AddHandler client.HostKeyVerifying, AddressOf HostKeyVerifying

    ' Connect to the SFTP server.
    client.Connect("myserver")

    ' Or you can specify the SFTP port with
    ' client.Connect("myserver", 22);

    ' Authenticate.
    client.Authenticate("userName", "password")

    ' Do something here...
    client.DownloadFile("/my remote file.dat", "my local file")

    ' Disconnect.
    client.Disconnect()
End Sub

Private Sub HostKeyVerifying(ByVal sender As Object, ByVal e As HostKeyVerifyingEventArgs)
    Console.WriteLine("Host key: " & e.HostKey)
End Sub

Authenticate with a key

Authenticate with Public/Private key. This method is more secure and more flexible. In this method, SFTP client identifies itself to the server by using public/private key pairs. The client has to generate a pair of public and private keys from his own computer and keep private keys secret to itself. Prior to connection, the public key must first be uploaded and registered on the SFTP server. To authenticate using your private key, simply call the Authenticate method with the SecureShellPrivateKey object created from the provided name of the private key and its passphrase.

using ComponentPro.Net;

...

// Create a new class instance.
Sftp client = new Sftp();

// Connect to the SFTP server.
client.Connect("myserver", 22);

// Authenticate user with a private key.
client.Authenticate("userName", "c:\\privateKey.key", "pkeypassword");

// It's possible to use both username/password and private key to authenticate.
// client.Authenticate("userName", "password", "c:\\privateKey.key", "pkeypassword");

// Do something here...
client.DownloadFile("/my remote file.dat", "my local file");

// Disconnect.
client.Disconnect();
Imports ComponentPro.Net

...

' Create a new class instance.
Dim client As New Sftp()

' Connect to the SFTP server.
client.Connect("myserver", 22)

' Authenticate user with a private key.
client.Authenticate("userName", "c:\privateKey.key", "pkeypassword")

' It's possible to use both username/password and private key to authenticate.
' client.Authenticate("userName", "password", "c:\\privateKey.key", "pkeypassword");

' Do something here...
client.DownloadFile("/my remote file.dat", "my local file")

' Disconnect.
client.Disconnect()

Authenticate with a keyboard-interactive authentication

In most cases, password authentication will take care of servers that use a keyboard-interactive authentication method. But some SSH servers require interactive authentication to authenticate the user. When the server utilizes interactive authentication to ask non-trivial questions, register a KeyboardInteractiveAuthentication event handler both to get notified about them and to answer them.

using System;
using ComponentPro.Net;

...

public void DoConnect()
{
    // Create a new class instance.
    Sftp client = new Sftp();

    // Connect to the SFTP server.
    client.Connect("myserver");

    // Or you can specify the SFTP port with
    // client.Connect("myserver", 22);

    // Authenticate.
    client.Authenticate("userName", "password", KeyboardInteractiveAuthenticationHandler);

    // Do something here...
    client.DownloadFile("/my remote file.dat", "my local file");

    // Disconnect.
    client.Disconnect();
}

private void KeyboardInteractiveAuthenticationHandler(object sender, KeyboardInteractiveAuthenticationEventArgs e)
{
    // If we have a request
    if (e.Requests.Count > 0)
    {
        // If the first request is the string "Password: ".
        if (string.Compare(e.Requests[0].Prompt, "Password: ", StringComparison.InvariantCultureIgnoreCase) == 0)
        {
            // We provide password as the response
            e.Requests[0].Response = "mypass";
        }
    }
}
Imports ComponentPro.Net

...

Public Sub DoConnect()
    ' Create a new class instance.
    Dim client As New Sftp()

    ' Connect to the SFTP server.
    client.Connect("myserver")

    ' Or you can specify the SFTP port with
    ' client.Connect("myserver", 22);

    ' Authenticate.
    client.Authenticate("userName", "password", AddressOf KeyboardInteractiveAuthenticationHandler)

    ' Do something here...
    client.DownloadFile("/my remote file.dat", "my local file")

    ' Disconnect.
    client.Disconnect()
End Sub

Private Sub KeyboardInteractiveAuthenticationHandler(ByVal sender As Object, ByVal e As KeyboardInteractiveAuthenticationEventArgs)
    ' If we have a request
    If e.Requests.Count > 0 Then
        ' If the first request is the string "Password: ".
        If String.Compare(e.Requests(0).Prompt, "Password: ", StringComparison.InvariantCultureIgnoreCase) = 0 Then
            ' We provide password as the response
            e.Requests(0).Response = "mypass"
        End If
    End If
End Sub

Authenticate with Kerberos

If the server supports Kerberos authentication, it is possible to use GSSAPI Kerberos v5 authentication mechanism. The following Kerberos authentication methods can be enabled:

With single sign-on

// Create a new class instance.
using (Sftp client = new Sftp())
{
    // Connect to the SFTP server.
    client.Connect("myserver");

    // Initialize GSSAPI for Kerberos single sign-on
    SecureShellGssApiCredentials credentials = new SecureShellGssApiCredentials();
    credentials.SetMechanisms(SecureShellGssApiMechanisms.KerberosV5);

    // Log in using Kerberos single sign-on
    client.Authenticate(credentials);

    // ...
}
' Create a new class instance.
Using client As New Sftp()
    ' Connect to the SFTP server.
    client.Connect("myserver")

    ' Initialize GSSAPI for Kerberos single sign-on
    Dim credentials As New SecureShellGssApiCredentials()
    credentials.SetMechanisms(SecureShellGssApiMechanisms.KerberosV5)

    ' Log in using Kerberos single sign-on
    client.Authenticate(credentials)

    ' ...
End Using

With username/password/domain

// Create a new class instance.
using (Sftp client = new Sftp())
{
    // Connect to the SFTP server.
    client.Connect("myserver");

    // Initialize GSSAPI for Kerberos single sign-on
    SecureShellGssApiCredentials credentials = new SecureShellGssApiCredentials(authUsername, authApiPassword, authDomain);
    credentials.SetMechanisms(SecureShellGssApiMechanisms.KerberosV5);

    // Log in using Kerberos
    client.Authenticate(credentials);

    // ...
}
' Create a new class instance.
Using client As New Sftp()
    ' Connect to the SFTP server.
    client.Connect("myserver")

    ' Initialize GSSAPI for Kerberos single sign-on
    Dim credentials As New SecureShellGssApiCredentials(authUsername, authApiPassword, authDomain)
    credentials.SetMechanisms(SecureShellGssApiMechanisms.KerberosV5)

    ' Log in using Kerberos
    client.Authenticate(credentials)

    ' ...
End Using

Note: Kerberos is only supported on Windows platforms. However, it's possible to authenticate Windows-based clients to Unix-based servers using Kerberos. Authenticate with NTLM

If the server supports NTLM authentication, it is possible to use GSSAPI NTLM authentication mechanism.

Note: NTLM is only supported on Windows platforms.

45-Day Money Back Guarantee

We will refund your full money in 45 days
if you are not satisfied with our products

Buy Now

Dont miss out Get update on new articles and other opportunities