PublicKeyAndPassword AuthenticationType - both required?

Question

Hi,
In your API, it seems that "Public key followed by password" means you need to have both public key and username/password to connect to the server?

That would make sense, but it seems that when using this authentication type, we are still able to connect to an SFTP server with only the username and password set. The server is configured to not require public keys for the user, so I presume it's allowing the connection to be made anyway?

Is this the correct? In other words, does a SecureFTPConnection not enforce both username/password AND public key if the server does not require it?

Graeme

Answer 1

Yes, that's correct. There's no point in stopping the connection from being made if the server allows it. It's up to the server to specify authentication requirements, not the client.

- Hans (EnterpriseDT)

Answer 2

I understand that, but then should the AuthenticationType not be called PublicKeyOrPassword, because that's effectively how it behaves? One of my colleagues was able to connect to a server even though he used an incorrect password for the user. Once the public key had been authenticated, it didn't seem to matter that the password was invalid. Whereas, when he removed the public key, then the connection failed. So it's performing an OR rather than an AND operation.

Graeme

Answer 3

Yes, that's a good point; calling it PublicKeyOrPassword would probably have been better. I'm just not sure it's confusing enough to be worth changing now that it's been like that for so long. I'll bring it up for discussion.

- Hans (EnterpriseDT)

Answer 4

Or even just to update the documentation so that it explains the behaviour?

Now I'm still slightly puzzled about the difference between PublicKeyAndPassword, and just PublicKey types. In the latter, you still need to have a Username, otherwise the client doesn't know which account to use, right? And I presume you also need to a password, although it could be incorrect and the connection will still proceed - but is that not the same as the former type? That would render the PublicKey type redundant, since one can always connect with PublicKeyAndPassword.

Answer 5

You always need a username, but for public key authentication you generally don't require a password - just the user's private key.

Answer 6

Do you know of any servers that require both public key and password?

Answer 7

Sure, our own server, CompleteFTP, can be configured to require both for SFTP.

Answer 8

Ok, so that would be better security, which would be the only scenario that makes sense to use PublicKeyAndPassword (where it would really be an AND). In other cases, the user should know whether they're authenticating with password or with public key and the code should choose one or the other. I don't see the point of having a server that allows one or the other, whereby the code uses PublicKeyAndPassword (as an OR).

Thanks for clarifying.