SSHUserAuthRequest Event
Fires when a client attempts to authenticate a connection.
Syntax
public event OnSSHUserAuthRequestHandler OnSSHUserAuthRequest; public delegate void OnSSHUserAuthRequestHandler(object sender, SshdaemonSSHUserAuthRequestEventArgs e); public class SshdaemonSSHUserAuthRequestEventArgs : EventArgs { public string ConnectionId { get; } public string User { get; } public string Service { get; } public string AuthMethod { get; } public string AuthParam { get; } public bool Accept { get; set; } public bool PartialSuccess { get; set; } public string AvailableMethods { get; set; } public string KeyAlgorithm { get; } }
Public Event OnSSHUserAuthRequest As OnSSHUserAuthRequestHandler Public Delegate Sub OnSSHUserAuthRequestHandler(sender As Object, e As SshdaemonSSHUserAuthRequestEventArgs) Public Class SshdaemonSSHUserAuthRequestEventArgs Inherits EventArgs Public ReadOnly Property ConnectionId As String Public ReadOnly Property User As String Public ReadOnly Property Service As String Public ReadOnly Property AuthMethod As String Public ReadOnly Property AuthParam As String Public Property Accept As Boolean Public Property PartialSuccess As Boolean Public Property AvailableMethods As String Public ReadOnly Property KeyAlgorithm As String End Class
Remarks
The SSHUserAuthRequest event fires when an SSH client attempts to authenticate itself on a particular connection. ConnectionId will identify the connection being authenticated. User will be the name of the account requesting authentication, and Service will contain the name of the service the client is wishing to access.
AuthMethod will denote which method the client is attempting to use to authenticate itself. AuthParam will contain the value of the authentication token used by the client. If the token is acceptable, you may set Accept to true to allow the component to authenticate the client. If it is not, set Accept to false.
Connecting clients will initially attempt authentication with an AuthMethod of "none". This is done with the expectation that the request will fail and the server will send a list of supported methods back to the client. In your implementation check the AuthMethod parameter, if it is "none" you should set AvailableMethods and reject the request. The client will select one of the available methods and re-authenticate.
You may set AvailableMethods to a comma-delimited string of authentication methods that are available for the user. This list will be sent back to the client so that it may perform further authentication attempts.
The following is a list of methods implemented by the component:
| none | This authentication method is used by most SSH clients to obtain the list of authentication methods available for the user's account. In most cases you should not accept a request using this authentication method. |
| password | AuthParam will contain the user-supplied password. If the password is correct, set Accept to true. |
| publickey | AuthParam will contain an SSH2 public key blob. If the user's public key is acceptable, set Accept to true. The component will then handle verifying the digital signature and will respond to the client accordingly. |
| keyboard-interactive | SSHUserAuthRequest will fire multiple times for keyboard-interactive authentication: It will fire once for each response sent by the client in the SSH_MSG_USERAUTH_INFO_RESPONSE packet (one for each prompt specified by the daemon). The index of each response will be specified as a suffix in AuthMethod, with AuthParam containing the response to the corresponding prompt (e.g keyboard-interactive-1, keyboard-interactive-2 and so on). Finally, SSHUserAuthRequest will fire one last time with AuthMethod set to "keyboard-interactive" and AuthParam set to an empty string. The daemon must set Accept to true every time to allow the authentication process to succeed. |
The PartialSuccess parameter is only used when multi-factor authentication is needed. To implement multi-factor authentication when this event fires first verify the AuthParam for the given AuthMethod. If accepted, set PartialSuccess to true and Accept to false. The client should then send the authentication request for a different form of authentication specified in AvailableMethods. You may continue to set PartialSuccess to true until all authentication requirements are satisfied. Once all requirements are satisfied set Accept to true.
KeyAlgorithm hold the signing algorithm used when the client attempts public key authentication. Possible values are:
- ssh-rsa
- rsa-sha2-256
- rsa-sha2-512
- ssh-dss
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
- x509v3-sign-rsa
- x509v3-sign-dss
Note: Processing long-running requests, including sending channel data, inside this event may cause the underlying transport to stop processing SSH data until the event returns. In order to prevent this from happening, all requests should be processed asynchronously in a separate thread outside of this event.