1

As per my client's requirement, I am trying to implement dual authentication (password, key) in SFTP file transfer and the preferred authentication must be in an order of password, public key, keyboard-interaction.

I have tried to achieve this in two ways :

1) Using NET::SFTP::Foreign But this module has default preferred authentication as public key, password and doesn't allow me to override the same with a password, public key even if I am explicitly mentioning in command.

$sftp=Net::SFTP::Foreign->new("xyz.com",
                              user=> pqr,                            
                              password=>1234,
                              port=>2222,                                 
                              key_path=>/home/ddd/.ssh/id_rsa,
                              more=>[-vo=>'StrictHostKeyChecking=no',
                                     -o=>"ProxyCommand=/usr/bin/ssh " .
                                         "-o UserKnownHostsFile=/dev/null ".
                                         "-o StrictHostKeyChecking=no ".
                                         "-oPreferredAuthentications=password,publickey,keyboard-interactive " .
                                         "-oNumberOfPasswordPrompts=1 " .
                                         "-i /home/nnn/.ssh/flsftp " .
                                         "-l flsftp proxyserver.com " .
                                         "nc xyz.com 2222"]);

2) Using SFTP command I am able to make the connection manually using SFTP command and enter the password when it prompts but to automate it through Perl I am not able to find a way to pass the password in the command line. I came to know some ways like sshpass or expect but due to security reasons, I can not use either.

sftp -o UserKnownHostsFile=/dev/null \
     -o StrictHostKeyChecking=no \
     -i /home/ddd/.ssh/id_rsa \
     -o PreferredAuthentications=password,publickey,keyboard-interactive \
     -o NumberOfPasswordPrompts=1 \
     -o 'ProxyCommand=/usr/bin/ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /home/nnn/.ssh/flsftp -l flsftp proxyserver.com nc xyz.com 2222' \
     pqr@xyz.com
salva
  • 9,943
  • 4
  • 29
  • 57
Perl_Devloper
  • 33
  • 3
  • 1) Command lines aren't secure. Other users on the machine can see your commands including the arguments. As such, tools don't (shouldn't) accept passwords as arguments, at least not directly. – ikegami Apr 21 '19 at 20:08
  • 2) There's no point in providing a password non-interactively. It would effectively becomes an alternate but weaker key, and it would mean you now have two keys to secure. – ikegami Apr 21 '19 at 20:09
  • Exactly, I don't see any use of password authentication where we are authenticating through keys. I can still acknowledge client's requirement through Net::SFTP but it only accept publickey, password preferred authentication but client wants to authenticate first with password and then with key. Therefore looking some workaround to implement the same. – Perl_Devloper Apr 21 '19 at 20:38

1 Answers1

3

Net::SFTP::Foreign tries to detect the case where you set PreferredAuthentications yourself in order to let it pass unchanged. Just that the detection code is not very sophisticated and sometimes it fails. Try doing it as follows:

$sftp=Net::SFTP::Foreign->new("xyz.com",
                              user => "pqr",                            
                              password => "1234",
                              port => 2222,                                 
                              key_path => "/home/ddd/.ssh/id_rsa",
                              more => ['-v',
                                       -o => 'StrictHostKeyChecking=no',
                                       -o => 'UserKnownHostsFile=/dev/null',
                                       -o => 'PreferredAuthentications=password,publickey,keyboard-interactive']);
salva
  • 9,943
  • 4
  • 29
  • 57
  • 1
    This is exactly what I was looking for. I had a situation where BOTH the password and key exchange were required. I only needed to add the 'PreferredAuthentications' options to get it to work. Once done, it worked perfectly. – Paul Lemmons Jun 17 '21 at 22:46