SSH Authentication


Introduction

The SSH protocol supports a variety of authentication mechanisms. This article will discuss the various Client Authentication mechanisms, as well as the mechanism for verifying the server's authenticity.

Contents

  1. Client Authentication
  2. Server Host Key Authentication

Client Authentication

Client Side consists of three authentication methods.

Password Authentication

By default, the SSH components will attempt to use Password Authentication when authenticating to the server. The username and password to be used for authentication should be specified in the SSHUser and SSHPassword properties respectively. This authentication method should not be confused with Keyboard Authentication.

sftp.SSHUser = "test";
sftp.SSHPassword = "password";
sftp.SSHPort = 22;
sftp.SSHHost = "SSHHost";
sftp.Config("SSHAcceptServerHostKeyFingerPrint=6a:d3:65:96:d1:9f:9d:f9:57:4e:6b:3b:11:57:5a:15");
sftp.SSHLogon(sftp.SSHHost, sftp.SSHPort);
Console.WriteLine("Authenticated");
sftp.SSHLogoff();

Public Key Authentication

In addition to password authentication, the SSH components can also be configured to perform Public Key Authentication. Typically considered more secure than Password Authentication, Public Key Authentication requires the use of a Private Key that is specified in the SSHCert property of the component. The SSH server will need to be configured with the corresponding Public Key to allow authentication.

Please see below for an example of specifying a private key in PEM Format:

sftp.SSHUser = "test";
sftp.SSHCert = new Certificate(CertStoreTypes.cstPEMKeyFile, "..\\..\\files\\server_cert.pem", "test", "*");
sftp.SSHAuthMode = SftpSSHAuthModes.amPublicKey;
sftp.SSHPort = 22;
sftp.SSHHost = "SSHHost";
sftp.Config("SSHAcceptServerHostKeyFingerPrint=6a:d3:65:96:d1:9f:9d:f9:57:4e:6b:3b:11:57:5a:15");
sftp.SSHLogon(sftp.SSHHost, sftp.SSHPort);
Console.WriteLine("Authenticated");
sftp.SSHLogoff();

Keyboard Interactive Authentication

In Version 9 of the toolkit we have introduced support for Keyboard Interactive authentication. To use this form of authentication you'll need to set the SSHAuthMode property to amKeyboardInteractive and make use of the new SSHKeyboardInteractive event. For instance:

sftp.SSHUser = "test";
sftp.SSHAuthMode = SftpSSHAuthModes.amKeyboardInteractive;
sftp.SSHPort = 22;
sftp.SSHHost = "SSHHost";
sftp.Config("SSHAcceptServerHostKeyFingerPrint=6a:d3:65:96:d1:9f:9d:f9:57:4e:6b:3b:11:57:5a:15");
sftp.OnSSHKeyboardInteractive += new Sftp.OnSSHKeyboardInteractiveHandler(delegate(object sender, SftpSSHKeyboardInteractiveEventArgs e)
{
	if (e.Prompt == "Password: ")
		e.Response = "password";
});
sftp.SSHLogon(sftp.SSHHost, sftp.SSHPort);
Console.WriteLine("Authenticated");
sftp.SSHLogoff();

The Response field should be assigned with the value that you want to respond to the prompt with. In the case where the Prompt field is an empty string you may check the Instructions field to obtain informational messages sent by the server.

Multi-step Authentication

In order to use the Multi Factor Authentication the SSHAuthMode should be set to amMultiFactor

sftp.SSHUser = "test";
sftp.SSHPassword = "test";
sftp.SSHCert = new Certificate(CertStoreTypes.cstPEMKeyFile, "..\\..\\files\\test.pem", "test", "*");
sftp.SSHAuthMode = SftpSSHAuthModes.amMultiFactor;
sftp.SSHPort = 22;
sftp.SSHHost = "SSHHost";
sftp.Config("SSHAcceptServerHostKeyFingerPrint=6a:d3:65:96:d1:9f:9d:f9:57:4e:6b:3b:11:57:5a:15");
sftp.SSHLogon(sftp.SSHHost, sftp.SSHPort);
Console.WriteLine("Authenticated");
sftp.SSHLogoff();

Server Host Key Authentication

When establishing an SSH connection, the server always presents a key to the connecting client. This key is used to verify the identity of the SSH server. If the key is not already trusted then you will see the error, "Server's host key has been rejected by user". In order to resolve this error, you can instruct the component to manually accept the key by one of the following methods:

  1. Set the SSHAcceptServerHostKey property to public key.
    sftp.SSHAcceptServerHostKey = new Certificate(CertStoreTypes.cstSSHPublicKey, myHostKeyB, "", "");
    //Where myHostKeyB is a byte array containing the host key
    //obtained from SSHServerAuthentication event or from the server administrator.
  2. Accept the key via the SSHServerAuthentication event.
    static void Sftp_OnSSHServerAuthentication(object sender, SftpSSHServerAuthenticationEventArgs e) {
      e.Accept = true
    }
  3. Set the SSHAcceptServerHostKeyFingerPrint configuration setting.
    sftp.Config("SSHAcceptServerHostKeyFingerPrint=6a:d3:65:96:d1:9f:9d:f9:57:4e:6b:3b:11:57:5a:15");
  4. Set the SSHAcceptAnyServerHostKey configuration setting.
    sftp.Config("SSHAcceptAnyServerHostKey=true");


We appreciate your feedback.  If you have any questions, comments, or suggestions about this article please contact our support team at kb@nsoftware.com.