I noticed something strange today, which I don't think used to happen, so I'm wondering if something has changed authentication-wise in the FileZilla code over the past couple years that could be related.
This is for SFTP only.
When configured for Normal username/password, if the SFTP server offers "anonymous authentication" as an option, then FileZilla will just do that and not authenticate to the server. This then forces the guest view rather than being properly authenticated as configured in Site Manager.
If the server doesn't offer anonymous authentication, then it works as expected, it authenticates with the provided credential.
I realize that FileZilla is probably detecting anonymous auth availability and it would make sense to choose that generally speaking, but I don't think it should do this when configured for "Normal password", only for "Anonymous". Always doing so is too opportunistic, and prevents me from logging in if the server even ADVERTISES anonymous auth being allowed, which is quite harsh, given I don't think there is any workaround besides using a different SFTP client.
I have noticed some SSH clients seem to have similar bugs, too, but not all of them do - in particular, I think PuTTY is affected by this "bug" as well, and I seem to recall FileZilla using some code related to that for the base SSH functionality (stuff not related to the SFTP subsystem in the SSH protocol), so maybe that's why, but wanted to check this out with somebody that would know for sure!
FileZilla uses anonymous mode even with "normal password" for SFTP
Moderator: Project members
Re: FileZilla uses anonymous mode even with "normal password" for SFTP
SSH doesn't have anonymous authentication. It has a "none" authentication method though which means no authentication takes place. Clients attempt to use "none" authentication first to figure out which actual authentication methods the server supports. The use of "none" for this purpose is even mentioned in the RFC 4252: "The main purpose of sending this request is to get the list of supported methods from the server."
What you need to do, is to setup separate user accounts on your server: One account that doesn't require authentication, and one that does.
What you need to do, is to setup separate user accounts on your server: One account that doesn't require authentication, and one that does.
Re: FileZilla uses anonymous mode even with "normal password" for SFTP
Thanks, I see, so the server should be returning different auth methods per user, and not the same methods for any attempts? I'll take a look.
Still, from a protocol perspective, if the server says it supports "none AND password", wouldn't it make sense to try password first, if one is on file? Or is that not technically feasible? It seems like "none" is just one option, that doesn't override all the others.
Still, from a protocol perspective, if the server says it supports "none AND password", wouldn't it make sense to try password first, if one is on file? Or is that not technically feasible? It seems like "none" is just one option, that doesn't override all the others.
Re: FileZilla uses anonymous mode even with "normal password" for SFTP
"none" is never an auth method advertised by the server. Clients need to attempt "none" blindly, and only if "none" fails, are clients informed about any other remaining authentication methods.