Discuss this help topic in SecureBlackbox Forum

SSH: Authenticate clients in SSH server

TElSSHServer takes responsibility for the lion's share of the authentication routine, by implementing it under the bonnet and only leaving principal decisions to you as its user. Generally, your responsibility here is to handle all OnAuthXXX events, which the server uses to 'ask' you about your authentication decisions, and implement the handlers appropriately. Additionally, use the AuthenticationTypes property to specify authentication types which you want the server to support.

During the authentication process the user may try different authentication methods in different order. You are entirely flexible about whether to allow the user in after a single factor (e.g. password) authentication, or torture them with a set of different authentication types - it is completely up to you. Therefore, the whole authentication process consists of a row of authentication requests, each of which may be successful or not.

When a user initiates an authentication request, OnAuthAttempt event is fired, reporting the user name (login) and the chosen authentication type. You can reject the authentication request straightaway by returning Accept = false.

Then, depending on the authentication type, one of the following events may be fired:

  • OnAuthPassword
  • OnAuthPublicKey
  • OnAuthHostbased
  • OnAuthKeyboard

These events report the authentication token as provided by the user (e.g. password). Note that the signatures for the key-based authentication methods (public key and hostbased) are verified automatically by the component, so you only need to check the genuineness of the keys.

If the provided authentication token is correct, return Accept = true. This will indicate (to the server component and to the user) that the authentication request was successful. Otherwise, return Accept = false.

The principles of OnAuthKeyboard event are slightly different from the rest of the events due to its two-stage nature. OnAuthKeyboard expects you to provide the questions to be displayed to the user. Once the user replies, OnAuthKeyboardResponse event is fired, indicating the completion of the authentication request.

Straight after that the OnFurtherAuthNeeded event is fired. It asks your code whether further authentication (e.g. with a different method) should be performed, or the user should be considered authenticated and can proceed to the application-layer protocol facilities. Set Needed = true to continue the authentication, or Needed = false to indicate that the user has been authenticated successfully.

How To articles about SSH server

Discuss this help topic in SecureBlackbox Forum