Authentication
Password authentication
Users authenticate using username and password. The password can be validated in two ways:
- Using password hash stored locally (e.g.
burusftp user add ... --password <password>
). - Using Windows authentication (e.g.
burusftp user add ... --win-account DOMAIN\user
).
Users use their regular username for login, not the Windows account name. You can further specify which type of logon operation is performed using--password-auth-mode <windowsNetwork | windowsInteractive>
. The options correspond toLOGON32_LOGON_NETWORK_CLEARTEXT
orLOGON32_LOGON_INTERACTIVE
respectively. We recommend usingwindowsNetwork
unless network authentication is disabled on your server. You can read more details in Microsoft official documentation.
We strongly recommend setting account lockout values lower than those in use by Windows (if set) to avoid Windows account lockout caused by remote attacker.
Windows authentication is available in the Pro edition only.
File system access impersonation
When using Windows authentication, file system impersonation is enabled by default (unless disabled by --impersonate off
). This features enables the server to access files and directories using the Windows account privileges associated with the user.
SSH aliases are not supported when impersonation is enabled.
Impersonation relies on Windows authentication and thus is available in the Pro edition only.
Public key authentication
Users authenticate using username and private key (e.g. burusftp user add ... --keys <public_key_file>
). Server only keeps users' public key.
Two-factor authentication
Password and public key authentication can be combined with each other by a proper setting of
--keyAuth <enabled | disabled | required>
and --passwordAuth <enabled | disabled | required>
switches.