Back to feature list...

Authentication modes

On this page:

Username and password 

Password-based authentication is simple: 

// connect to a server and verify fingerprint
var sftp = new Sftp();
sftp.Connect(hostname);

// log in
sftp.Login(username, password);

' connect to a server and verify fingerprint
Dim sftp As New Rebex.Net.Sftp()
sftp.Connect(hostname)

' log in
sftp.Login(username, password)

In addition to password authentication, this method supports simple forms of keyboard-interactive authentication methods as well.

Public/private key authentication 

Asymmetric cryptography makes it possible to authenticate using a private key without revealing it to the server (or anyone else) - only the corresponding public key needs to be associated with your account. Use SshPrivateKey class for this kind of authentication: 

// connect to a server and verify fingerprint
var client = new Sftp();
client.Connect(hostname);

// load the private key
SshPrivateKey privateKey = new SshPrivateKey("my_key.ppk", "key_password");

// log in
client.Login(username, privateKey);

' connect to a server and verify fingerprint
Dim sftp As New Rebex.Net.Sftp()
sftp.Connect(hostname)

' load the private key
Dim privateKey = New SshPrivateKey("my_key.ppk", "key_password")

' log in
sftp.Login(username, privateKey)

How do you get the private key? Usually, you generate it yourself, either using Rebex KeyGenerator sample, our key-generator API or a third-party utility (most SSH/SFTP vendors provide one). Once generated, the corresponding public key has to be associated with your account (this is server-specific, consult your server administrator if needed).

In case you already have your private key, just load it into the SshPrivateKey object - it supports lot of private key formats.

SSH agent authentication 

When authenticating using a key pair, the private key does not have to be loaded into the SFTP library. Instead, the SFTP client can relay the authentication to an external SSH authentication agent that provides key management and related services. 

// connect to a server and verify fingerprint
var client = new Sftp();
client.Connect(hostname);

// log in to the server and authenticate with a private key managed by OpenSSH agent
client.Login(username, SshAuthenticationAgent.OpenSshAgent);

' connect to a server and verify fingerprint
Dim client = New Sftp()
client.Connect(hostname)

' log in to the server and authenticate with a private key managed by OpenSSH agent
client.Login(username, SshAuthenticationAgent.OpenSshAgent)

The following SSH keys are supported. See SshAuthenticationAgent API documentation for more information.

OpenSSH Agent
A widely-used SSH authentication agent common on Unix-like systems (such as Linux or macOS) and Windows. It communicates with the SSH client via named pipe on Windows or via domain socket on Unix.
Pageant
The SSH agent bundled with PuTTY. Runs on Windows and communicates with the SSH client via named pipe.
Legacy Pageant
An alternative Pageant mode for compatibility with older versions or non-standard builds. Uses Windows messages and a memory-mapped file to communicate with the SSH client.

X.509 certificate authentication 

Some SFTP servers - such as Rebex Buru SFTP Server, VanDyke VShell or Tectia SSH Server - support authentication using X.509 certificates. Simply load the certificate with an associated private key into the SshPrivateKey object and pass it to the Login method. 

// connect to a server and verify fingerprint
var sftp = new Sftp();
sftp.Connect(hostname, port);

// load X.509 certificate
Certificate x509 = Rebex.Security.Certificates.Certificate.LoadPfx(certPath, certPassword);

// wrap X.509 certificate to SshPrivateKey
SshPrivateKey privateKey = new SshPrivateKey(x509);

// log in
sftp.Login(username, privateKey);

' connect to a server and verify fingerprint
Dim sftp As New Rebex.Net.Sftp()
sftp.Connect(hostname, port)

' load X.509 certificate
Dim x509 = Rebex.Security.Certificates.Certificate.LoadPfx(certPath, certPassword)

' wrap X.509 certificate to SshPrivateKey
Dim privateKey = New SshPrivateKey(x509)

' log in
sftp.Login(username, privateKey)
You can use .NET's X509Certificate2 object as well instead of our Certificate object.

GSSAPI 

GSSAPI support makes it possible to use Kerberos or NTLM authentication mechanisms, both in single sign-on mode and username/password(/domain)-based mode.

Note: GSSAPI is only supported on Windows platforms.

Single sign-on 

With single sign-on, the current user can authenticate without having to enter his password. Single sign-on is only possible with Kerberos or NTLM authentication mechanisms on servers that support them (through GSSAPI). Additionally, both the client and server machines must be part of the same domain (or a domain trust has to be implemented).

Note: Single sign-on is only supported on Windows platforms.

Kerberos authentication 

If the server supports Kerberos authentication, it is possible to use GSSAPI Kerberos v5 authentication mechanism.

Kerberos with single sign-on

// connect to a server and verify fingerprint
var sftp = new Sftp();
sftp.Connect(hostname);

// initialize GSSAPI for Kerberos single sign-on
var credentials = new SshGssApiCredentials();
credentials.SetMechanisms(SshGssApiMechanisms.KerberosV5);

// log in using Kerberos single sign-on
sftp.Login(credentials);

' connect to a server and verify fingerprint
Dim sftp As New Rebex.Net.Sftp()
sftp.Connect(hostname)

' initialize GSSAPI for Kerberos single sign-on
Dim credentials = New SshGssApiCredentials()
credentials.SetMechanisms(SshGssApiMechanisms.KerberosV5)

' log in using Kerberos single sign-on
sftp.Login(credentials)

Kerberos with username/password/domain

// connect to a server and verify fingerprint
var sftp = new Sftp();
sftp.Connect(hostname);

// initialize GSSAPI for Kerberos authentication
var credentials = new SshGssApiCredentials(username, password, domain);
credentials.SetMechanisms(SshGssApiMechanisms.KerberosV5);

// log in using Kerberos
sftp.Login(credentials);

' connect to a server and verify fingerprint
Dim sftp As New Rebex.Net.Sftp()
sftp.Connect(hostname)

' initialize GSSAPI for Kerberos authentication
Dim credentials = New SshGssApiCredentials(username, password, domain)
credentials.SetMechanisms(SshGssApiMechanisms.KerberosV5)

' log in using Kerberos
sftp.Login(credentials)

Note: Kerberos is only supported on Windows platforms. However, it's possible to authenticate Windows-based clients to Unix-based servers using Kerberos.

NTLM authentication 

If the server supports NTLM authentication, it is possible to use GSSAPI NTLM authentication mechanism.

NTLM with single sign-on

// connect to a server and verify fingerprint
var sftp = new Sftp();
sftp.Connect(hostname);

// initialize GSSAPI for NTLM single sign-on
var credentials = new SshGssApiCredentials();
credentials.SetMechanisms(SshGssApiMechanisms.Ntlm);

// log in using NTLM single sign-on
sftp.Login(credentials);

' connect to a server and verify fingerprint
Dim sftp As New Rebex.Net.Sftp()
sftp.Connect(hostname)

' initialize GSSAPI for NTLM single sign-on
Dim credentials = New SshGssApiCredentials()
credentials.SetMechanisms(SshGssApiMechanisms.Ntlm)

' log in using NTLM single sign-on
sftp.Login(credentials)

NTLM with username/password/domain

// connect to a server and verify fingerprint
var sftp = new Sftp();
sftp.Connect(hostname);

// initialize GSSAPI for NTLM authentication
var credentials = new SshGssApiCredentials(username, password, domain);
credentials.SetMechanisms(SshGssApiMechanisms.Ntlm);

// log in using NTLM
sftp.Login(credentials);

' connect to a server and verify fingerprint
Dim sftp As New Rebex.Net.Sftp()
sftp.Connect(hostname)

' initialize GSSAPI for NTLM authentication
Dim credentials = New SshGssApiCredentials(username, password, domain)
credentials.SetMechanisms(SshGssApiMechanisms.Ntlm)

' log in using NTLM single sign-on
sftp.Login(credentials)

Note: On non-Windows platforms (Linux, Android, macOS, iOS), NTLM is only available with NTLM plugin.

Advanced keyboard-interactive authentication 

In most cases, password-based authentication will take care of servers that use keyboard-interactive authentication method. To handle rare cases where the server utilizes interactive authentication to ask non-trivial questions, register an AuthenticationRequest event handler both to get notified about them and to answer them.

Note: Login method's username and password arguments are optional. If you omit them, the event handler will be called when required. 

// connect to a server and verify fingerprint
var sftp = new Sftp();
sftp.Connect(hostname);

// register AuthenticationRequest event handler
sftp.AuthenticationRequest += client_AuthenticationRequest;

// log in (alternatively, omit username and password as well)
sftp.Login(username, password);

' connect to a server and verify fingerprint
Dim sftp As New Rebex.Net.Sftp()
sftp.Connect(hostname)

' register AuthenticationRequest event handler
AddHandler sftp.AuthenticationRequest, AddressOf client_AuthenticationRequest

' log in (alternatively, omit username and password as well)
sftp.Login(username, password)

The event handler implementing the actual logic:

void client_AuthenticationRequest(object sender, SshAuthenticationRequestEventArgs e)
{
    Console.WriteLine("Server: {0}", e.Name);
    Console.WriteLine("Instructions: {0}", e.Instructions);

    foreach (SshAuthenticationRequestItem item in e.Items)
    {
        // display question
        Console.Write(item.Prompt);

        // set answer
        item.Response = Console.ReadLine();
    }
}

Sub client_AuthenticationRequest(ByVal sender As Object, ByVal e As SshAuthenticationRequestEventArgs)
    Console.WriteLine("Server: {0}", e.Name)
    Console.WriteLine("Instructions: {0}", e.Instructions)

    For Each item As SshAuthenticationRequestItem In e.Items
        ' display question
        Console.Write(item.Prompt)

        ' set answer
        item.Response = Console.ReadLine()
    Next
End Sub

Back to feature list...