Detailed message for SFTP custom authentication provider

Question 1

Hello,

We are using the FileServer component with a custom authentication provider, password based. There are multiple reasons for which authentication might fail (e.g. unknown user, wrong password, missing consent) and we would like to be able to communicate this reason to the user (e.g. display a custom, detailed message in the SFTP client).
Is it possible to achieve this? Or do you have other recommendations for this scenario?

Thanks,
Paula

Question 2

The SFTP protocol doesn't define message for SSH_MSG_USERAUTH_FAILURE packet. It is on purpose. Any information in this step gives the attacker knowledge about the process of guessing username and password.

So we cannot add custom message to authentication routine.
However, we can send BANNER to the client in case of authentication failure.
Unfortunately, some clients don't display banners (e.g. FileZilla, Cyberduck), but others do (e.g. Rebex Sftp, WinSCP, Bitvise SSH, PuTTY psftp.exe tool, ...)

You can try it now using general banner, which can be set by server.Settings.Banner property.

If it satisfy your needs, we can add this feature easily.

Question 3

If the banner would be sent in case of authentication failure, would it be possible for us to change the banner's content with the failure reason before sending it to the client?

Question 4

Yes, it would be possible to specify a banner when rejecting the authentication attempt it the authentication event. However, this will not be done using server.Setting.Banner, although it will use the same mechanism (SSH_MSG_USERAUTH_BANNER message).

Question 5

That's clear. Since it doesn't work with some well known SFTP clients, we have to go with a different approach. Thank you very much for the support!

Lukas Matyska · Answer 1 · 2018-07-03T12:11:01+0000

The SFTP protocol doesn't define message for SSH_MSG_USERAUTH_FAILURE packet. It is on purpose. Any information in this step gives the attacker knowledge about the process of guessing username and password.

So we cannot add custom message to authentication routine.
However, we can send BANNER to the client in case of authentication failure.
Unfortunately, some clients don't display banners (e.g. FileZilla, Cyberduck), but others do (e.g. Rebex Sftp, WinSCP, Bitvise SSH, PuTTY psftp.exe tool, ...)

You can try it now using general banner, which can be set by server.Settings.Banner property.

If it satisfy your needs, we can add this feature easily.

If the banner would be sent in case of authentication failure, would it be possible for us to change the banner's content with the failure reason before sending it to the client? — Paula, Jul 4, 2018
Yes, it would be possible to specify a banner when rejecting the authentication attempt it the authentication event. However, this will not be done using server.Setting.Banner, although it will use the same mechanism (SSH_MSG_USERAUTH_BANNER message). — Lukas Pokorny, Jul 4, 2018
That's clear. Since it doesn't work with some well known SFTP clients, we have to go with a different approach. Thank you very much for the support! — Paula, Jul 5, 2018

Detailed message for SFTP custom authentication provider

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Categories

Detailed message for SFTP custom authentication provider

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Related questions

Categories