EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Eldos ElSSH Authentication bug

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
Posted: 06/21/2011 07:33:25
by James West (Standard support level)
Joined: 06/21/2011
Posts: 1


I noticed in the examples provided in addition to creating my own SFTP client using Eldos Secure FTP/Blackbox (using ElSSHClient and ElSFTP Client) there seems to be some authentication bug.

Say you have an SFTP server.
It requires a publickey (and optional pass for it) and no user credentials - logs in just fine. AuthenticationSuccess is fired. Great.

Lets say your publickey is invalid - AuthenticationFailure is fired. Great. Perfect.

Lets say then you login to an SFTP with just standard user creds. If the authentication is correct, then AuthenticationSuccess is fired. Great

If you enter invalid creds, then AuthenticationFailure is fired. Great

Now the problem:

What I noticed is that if an SFTP requires a public/private key AND user credentials, it will fail then succeed. (Even though the creds are correct)

This is bad and makes me think there is a bug in Eldos. AuthenticationSuccess and AuthenticationFailure should only ever be raised/fire if 100% success or 100% failure.

Not both! It's difficult especially if you are wanting a system of a success or failure of creds in an automated application. There is no need in to keep authenticating if your creds are genuienly invalid.

There must be some workaround or resolution to this? Perhaps some setting?

using the client supplied in the examples, this is the output:

21/06/2011 12:45:43: Server key received
21/06/2011 12:45:45: Authentication type 2 failed.
21/06/2011 12:45:45: Authentication succeeded.
21/06/2011 12:45:45: SSH Connection started.
21/06/2011 12:45:48: Sftp connection started.
21/06/2011 12:45:48: Opening directory .
21/06/2011 12:45:49: Directory opened.
21/06/2011 12:45:51: File list received.
21/06/2011 12:45:51: Closing active handle.

here is an example of where the server requires just the pub/private key and username:

21/06/2011 13:32:35: Server key received
21/06/2011 13:32:35: Authentication succeeded.
21/06/2011 13:32:35: SSH Connection started.
21/06/2011 13:32:39: Sftp connection started.
21/06/2011 13:32:39: Opening directory .
21/06/2011 13:32:40: Directory opened.
21/06/2011 13:32:42: File list received.
21/06/2011 13:32:42: Closing active handle.

Ahmed Ilyas
Posted: 06/21/2011 07:43:28
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

As it is written in our documentation, OnAuthenticationFailed event is fired when the single authentication attempt is failed. As SSH may try a number of authentication attempts of different types or with different parameters (as public keys), during one session, this event may be not critical and may not lead to the closing of the connection.

OnAuthenticationSucces event might be preceded by a couple of OnAuthenticationFailed events.

So this is not a bug, but normal behaviour.



Topic viewed 568 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!