Authentication

Password authentication

Users authenticate using username and password. The password can be validated in two ways:

  1. Using password hash stored locally (e.g. burusftp user add ... --password <password>).
  2. Using Windows authentication (e.g. burusftp user add ... --win-account DOMAIN\user).
    Users use their regular username for login, not the Windows account name. You can further specify which type of logon operation is performed using --password-auth-mode <windowsNetwork | windowsInteractive>. The options correspond to LOGON32_LOGON_NETWORK_CLEARTEXT or LOGON32_LOGON_INTERACTIVE respectively. We recommend using windowsNetwork unless network authentication is disabled on your server. You can read more details in Microsoft official documentation.
    We strongly recommend setting account lockout values lower than those in use by Windows (if set) to avoid Windows account lockout caused by remote attacker.

Windows authentication is available in the Pro edition only.

File system access impersonation

When using Windows authentication, file system impersonation is enabled by default (unless disabled by --impersonate off). This features enables the server to access files and directories using the Windows account privileges associated with the user.

SSH aliases are not supported when impersonation is enabled.

Impersonation relies on Windows authentication and thus is available in the Pro edition only.

Public key authentication

Users authenticate using username and private key (e.g. burusftp user add ... --keys <public_key_file>). Server only keeps users' public key.

Two-factor authentication

Password and public key authentication can be combined with each other by a proper setting of
--keyAuth <enabled | disabled | required> and --passwordAuth <enabled | disabled | required> switches.

See also