Detailed message for SFTP custom authentication provider

0 votes
asked Jul 3 by Paula (270 points)

Hello,

We are using the FileServer component with a custom authentication provider, password based. There are multiple reasons for which authentication might fail (e.g. unknown user, wrong password, missing consent) and we would like to be able to communicate this reason to the user (e.g. display a custom, detailed message in the SFTP client).
Is it possible to achieve this? Or do you have other recommendations for this scenario?

Thanks,
Paula

1 Answer

0 votes
answered Jul 3 by Lukas Matyska (43,510 points)
selected Jul 5 by Paula
 
Best answer

The SFTP protocol doesn't define message for SSH_MSG_USERAUTH_FAILURE packet. It is on purpose. Any information in this step gives the attacker knowledge about the process of guessing username and password.

So we cannot add custom message to authentication routine.
However, we can send BANNER to the client in case of authentication failure.
Unfortunately, some clients don't display banners (e.g. FileZilla, Cyberduck), but others do (e.g. Rebex Sftp, WinSCP, Bitvise SSH, PuTTY psftp.exe tool, ...)

You can try it now using general banner, which can be set by server.Settings.Banner property.

If it satisfy your needs, we can add this feature easily.

commented Jul 4 by Paula (270 points)
If the banner would be sent in case of authentication failure, would it be possible for us to change the banner's content with the failure reason before sending it to the client?
commented Jul 4 by Lukas Pokorny (92,630 points)
Yes, it would be possible to specify a banner when rejecting the authentication attempt it the authentication event. However, this will not be done using server.Setting.Banner, although it will use the same mechanism (SSH_MSG_USERAUTH_BANNER message).
commented Jul 5 by Paula (270 points)
That's clear. Since it doesn't work with some well known SFTP clients, we have to go with a different approach. Thank you very much for the support!
...