 |
|
|
|
How to use SFTP (with client validation - keyboard-interactive authentication)
|
|
|
|
|
Keyboard-interactive (KBI)
authentication is the most recently introduced form of
authentication for SSH. It involves the server sending prompts to the
client, which the client
must respond to correctly to be authenticated. Its purpose is permit
the client to support a
variety of authentication mechanisms without knowing anything about
them.
edtFTPj/PRO's implementation of KBI
authentication relies on the programmer knowing the
prompts in advance. The prompts are easily determined by connecting to
the server via a
command-line ssh client, using KBI.
In edtFTPj/PRO, when the server
sends its list of prompts that require responses, the client
searches the list of loaded SSHAuthPrompts for
each prompt. It then sends the set responses
back to the server. If the expected responses are supplied, the
authentication succeeds.
If the prompt is for a user's
password, it will typically be something like "Password:".
The SSHPasswordPrompt class
is supplied to make it easier to set up a password prompt.
Often, the password prompt is the
only prompt required. Of course, there are other prompts
that could be requested, such as an RSA SecurID token. Some servers
have a number of
submethods that can be configured for KBI.
SSHAuthPrompt[] prompts = new
SSHAuthPrompt[1];
prompts[0] = new
SSHPasswordPrompt(password);
ftp.setAuthentication(username, prompts);
Sometimes servers will allow for
failure of one type of KBI prompt (e.g. SecurID), responding
to another attempt with a different prompt (such as for password).
edtFTPj/PRO makes a
second KBI authentication attempt automatically if the first attempt
fails.