public key with password fail to connect

Question

I have a requirement to use dual authentication ( public key and password ). When i setup the credentials for the user and try to connect using winscp / Filezilla , connection goes well with this message 'Server refused public-key signature despite accepting key!' . When i use the Rebex to connect using below parameters , i get odd error
" A public key corresponding to the supplied private key was not accepted by the server or the user name is incorrect" .
StackTrace:
at Rebex.Net.Sftp.aebju(String p0, String p1, SshPrivateKey p2, kphac p3)
at Rebex.Net.Sftp.Login(String userName, String password, SshPrivateKey privateKey)

If i use same public key without any password requirement , i don't see any issue at all or if i just opted for password it works fine too . So is there any way to bypass 'signature errors' and have the connection work well ? i have tried with 'Settings.EnableSignaturePadding' but no luck . Are there any work around ? Let me know if any addition log required ?

Note: WinSCP says this could happen due to padding issues based on SSH standard but that dint work on Rebex
https://winscp.net/eng/docs/ui_login_bugs#sshbug_rsapad2

Answer 1

When FileZilla reports "Server refused public-key signature despite accepting key", I would assume that public key authentication actually failed, and that FileZilla proceeded to authenticate using only the password. Therefore, there was no public key authentication at all, which goes against your requirement to use dual authentication.

Also, there is no way to bypass 'signature errors' - if there was, that would be a very serious server-side vulnerability, because it would make it possible for anyone to authenticate using the public key only, which would completely defy the purpose. Key-based authentication uses asymmetric cryptography, where a proper signature is actually the proof that the user is in possession of the private key (without having to reveal the private key to the server).

I can provide advice on how to reproduce the behavior of FileZilla - that is, attempt dual authentication first, and if that fails, attempt password-based authentication only. If this is what you are looking for, let me know and I'll post the relevant code. However, I have to stress once more that this approach actually violates your requirement. Having the server fixed should be the preferred option.

---

Update: The following code tries dual (public key + password) authentication first, followed by only password-based authentication if it fails:

string userName = …;
string password = …;
SshPrivateKey key = …;

sftp.Connect(…);

try
{
    // try key authentication, followed by password authentication
    // (if requested by the server)
    sftp.Login(userName, password, key);
}
catch (SftpException ex)
{
    // determine whether the exception is an SSH authentication error
    Exception innerEx = ex.InnerException;
    if (ex.Status == SftpExceptionStatus.OperationFailure
        && innerEx is SshException
        && (string)innerEx.Data["ProtocolMessage"] == "AuthenticationCancelledByUser")
    {
        // try password authentication only
        sftp.Login(userName, password);
    }
}

Comments

You are absolutely correct . I have already raised the request to fix the problem at server side but it may take bit long than i anticipated . Can you please advice on the behavior of  filezilla ?

---

I updated my answer with the relevant code.

---

i couldn't believe it works . Somewhere i thought i would try to use  re-login only with password but it was failing when i only  used password authentication , seems like it re-login should go with same session ? Thank you Lukas.

---

Yes, both Login calls use the same SSH session that was established during Sftp.Connect method call.