Discuss this help topic in SecureBlackbox Forum

Set authentication properties

SSH supports the following authentication types:

  • Public key authentication (main authentication method)
  • Password authentication
  • Host-based authentication
  • Keyboard authentication
  • X.509 autentication
  • OpenPGP authentication
All of the above methods are supported by SecureBlackbox.

SSH/SFTP client components support all mentioned methods of authentication. To specify, which methods should be used, set the value of AuthenticationTypes property of the corresponding SSH/SFTP component. You can enable more than one method.

Client authentication

Public key authentication

Public key authentication method is the only method that each software (both client and server) is required to implement. This method expects each client to have a key pair (key pair is a pair of keys, properly generated using one of asymmetric encryption algorithms, either RSA or DSA). The client first sends a public key to the server. If the server finds the key in the list of allowed keys, the client encrypts certain data packet using private key and sends the packet to the server together with the public key.

In SSH/SFTP client components public key authentication is done using TElSSHMemoryKeyStorage class. This class is a storage for keys (represented by TElSSHKey class). The application should put a key (which contains both public and private parts) to the storage and attach KeyStorage to TElSSHClient or other SSH/SFTP component via this component's KeyStorage property.

Password authentication

This form of authentication is the simplest one. The user specifies the username (on Unix/Linux systems this is usually system-wide username as specified in /etc/passwd) and corresponding password. Such authentication lets the user have only one set of credentials necessary for authentication.

In SSH/SFTP client components password-based authentication is supported via UserName and Password properties.

Note: if you use definitely valid password and still get Authentication Failed error, this means that the server doesn't use password-based authentication and instead uses keyboard-interactive authentication.

Host-based authentication

Host-based authentication is used to restrict client access only to certain host. This method is similar to public key authentication, however the server maintains a list of hosts and their public keys (so using the public key on other host won't authenticate the client). As with public key authentication, the application should use TElSSHMemoryKeyStorage class.

Keyboard-interactive authentication

Keyboard-interactive authentication is the advanced form of password authentication, aimed specifically at the human operator as a client. During keyboard authentication zero or more prompts (questions) is presented to the user. The user should give the answer to each prompt (question). The number and contents of the questions are virtually not limited, so certain types of automated logins are also possible.

SSH/SFTP client components support keyboard authentication via OnAuthenticationKeyboard event. The client application should fill Responses parameter (of the mentioned event) with replies to questions contained in Prompts parameter. Echo parameter specifies if the response should be displayed on the screen or masked as the user types it. The number of responses must be equal to the number of prompts.

If you don't provide the event handler for OnAuthenticationKeyboard event and enable keyboard-interactive authentication, the SSH client will attempt to guess the answers for you. I.e. if you have set username and password, the SSH client will pass them as the answers to the corresponding questions (Prompts).

Being notified about the result of authentication

Once the server has authenticated the client (or failed to do this), the event is fired by SSH/SFTP client components. If the authentication is successful, OnAuthenticationSuccess event is fired, otherwise OnAuthenticationFailed is fired. If you have multiple authentication methods enabled, it is possible that you will get OnAuthenticationFailed event fired several times followed by one OnAuthenticationSuccess event. This means that one of the methods worked.

Discuss this help topic in SecureBlackbox Forum