SSHUserAuthRequest Event

Fires when a client attempts to authenticate a connection.


ANSI (Cross Platform)
virtual int FireSSHUserAuthRequest(SFTPServerSSHUserAuthRequestEventParams *e);
typedef struct {
int ConnectionId;
const char *User;
const char *Service;
const char *AuthMethod;
const char *AuthParam;
int Accept;
int PartialSuccess;
char *AvailableMethods;
char *HomeDir;
const char *KeyAlgorithm; int reserved; } SFTPServerSSHUserAuthRequestEventParams; Unicode (Windows) virtual INT FireSSHUserAuthRequest(SFTPServerSSHUserAuthRequestEventParams *e);
typedef struct {
INT ConnectionId;
LPCWSTR Service;
LPCWSTR AuthMethod;
LPCWSTR AuthParam;
BOOL Accept;
BOOL PartialSuccess;
LPWSTR AvailableMethods;
LPCWSTR KeyAlgorithm; INT reserved; } SFTPServerSSHUserAuthRequestEventParams;
- (void)onSSHUserAuthRequest:(int)connectionId :(NSString*)user :(NSString*)service :(NSString*)authMethod :(NSString*)authParam :(int*)accept :(int*)partialSuccess :(NSString**)availableMethods :(NSString**)homeDir :(NSString*)keyAlgorithm;

virtual INT IPWORKSSFTP_CALL FireSSHUserAuthRequest(INT &iConnectionId, LPSTR &lpszUser, LPSTR &lpszService, LPSTR &lpszAuthMethod, LPSTR &lpszAuthParam, BOOL &bAccept, BOOL &bPartialSuccess, LPSTR &lpszAvailableMethods, LPSTR &lpszHomeDir, LPSTR &lpszKeyAlgorithm);


The SSHUserAuthRequest event fires when an SSH client attempts to authenticate itself on a particular connection. ConnectionId will identify the connection being authenticated. User will be the name of the account requesting authentication, and Service will contain the name of the service the client is wishing to access.

AuthMethod will denote which method the client is attempting to use to authenticate itself. AuthParam will contain the value of the authentication token used by the client. If the token is acceptable, you may set Accept to true to allow the SFTPServer to authenticate the client. If it is not, set Accept to false.

Connecting clients will initially attempt authentication with an AuthMethod of "none". This is done with the expectation that the request will fail and the server will send a list of supported methods back to the client. In your implementation check the AuthMethod parameter, if it is "none" you should set AvailableMethods and reject the request. The client will select one of the available methods and re-authenticate.

You may set AvailableMethods to a comma-delimited string of authentication methods that are available for the user. This list will be sent back to the client so that it may perform further authentication attempts.

The following is a list of methods implemented by the class:

noneThis authentication method is used by most SSH clients to obtain the list of authentication methods available for the user's account. In most cases you should not accept a request using this authentication method.
passwordAuthParam will contain the user-supplied password. If the password is correct, set Accept to true.
publickeyAuthParam will contain an SSH2 public key blob. If the user's public key is acceptable, set Accept to true. The class will then handle verifying the digital signature and will respond to the client accordingly.
keyboard-interactiveSSHUserAuthRequest will fire multiple times for keyboard-interactive authentication: It will fire once for each response sent by the client in the SSH_MSG_USERAUTH_INFO_RESPONSE packet (one for each prompt specified by the daemon). The index of each response will be specified as a suffix in AuthMethod, with AuthParam containing the response to the corresponding prompt (e.g keyboard-interactive-1, keyboard-interactive-2 and so on). Finally, SSHUserAuthRequest will fire one last time with AuthMethod set to "keyboard-interactive" and AuthParam set to an empty string. The daemon must set Accept to true every time to allow the authentication process to succeed.

In the case the user authentication succeeds, you may set HomeDir to the virtual path representing the initial directory for the user. If not set, the initial directory will be RootDirectory.

The PartialSuccess parameter is only used when multi-factor authentication is needed. To implement multi-factor authentication when this event fires first verify the AuthParam for the given AuthMethod. If accepted, set PartialSuccess to true and Accept to false. The client should then send the authentication request for a different form of authentication specified in AvailableMethods. You may continue to set PartialSuccess to true until all authentication requirements are satisfied. Once all requirements are satisfied set Accept to true.

KeyAlgorithm hold the signing algorithm used when the client attempts public key authentication. Possible values are:

  • ssh-rsa
  • rsa-sha2-256
  • rsa-sha2-512
  • ssh-dss
  • ecdsa-sha2-nistp256
  • ecdsa-sha2-nistp384
  • ecdsa-sha2-nistp521
  • x509v3-sign-rsa
  • x509v3-sign-dss

Note: Processing long-running requests, including sending channel data, inside this event may cause the underlying transport to stop processing SSH data until the event returns. In order to prevent this from happening, all requests should be processed asynchronously in a separate thread outside of this event.

Copyright (c) 2022 /n software inc. - All rights reserved.
IPWorks SFTP 2020 C++ Edition - Version 20.0 [Build 8162]