I am implementing a configurable SFTP client using the SSH.NET library. I'm not an expert in this field, and I used to think that SFTP server authentication could only be done in two mutually exclusive ways: Login+Password OR Login+Private Key.
However, while studying the SSH.NET API, I realized that the ConnectionInfo object have constructors that accept a list of AuthenticationMethod parameters. For example:
public ConnectionInfo(string host, string username, params AuthenticationMethod[] authenticationMethods)
I have looked at the configuration of several SFTP servers on the market, and I haven't found any that allow multiple authentication modes simultaneously. So, what is the purpose of having multiple AuthenticationMethods for an SFTP client? Should I implement the possibility of mixing password and private key in my configuration interface, or can I keep it simple?
EDIT : To clarify my question : I seek to be the compatible with the most SFTP server configurations possible. I already planned to let users choose between password or private key, I just want to know if I also have to consider the scenario with both modes at the same time (i.e. in a single connection) as the ConnectionInfo constructor suggest.
SSH.NET is an open-source library, so I cloned the repository to study how it handles server connections. It appears that Martin Prikryl was correct: some SFTP servers require both password and private key authentication. This is related to the concept of partial success, where a specific authentication method can be successful, but the server responds with an authentication failure message and a partial success flag, indicating that the client needs to perform another authentication method to complete the connection. As a result, there are two scenarios:
If the server requires only one authentication method, the methods added to the ConnectionInfo object will be executed in the order they were added until one of them succeeds.
If the server requires more than one authentication method, the methods added to the ConnectionInfo object will be executed in the order they were added until the required number of partial successes is achieved.