FileZilla uses anonymous mode even with "normal password" for SFTP
Posted: 2024-03-15 02:24
I noticed something strange today, which I don't think used to happen, so I'm wondering if something has changed authentication-wise in the FileZilla code over the past couple years that could be related.
This is for SFTP only.
When configured for Normal username/password, if the SFTP server offers "anonymous authentication" as an option, then FileZilla will just do that and not authenticate to the server. This then forces the guest view rather than being properly authenticated as configured in Site Manager.
If the server doesn't offer anonymous authentication, then it works as expected, it authenticates with the provided credential.
I realize that FileZilla is probably detecting anonymous auth availability and it would make sense to choose that generally speaking, but I don't think it should do this when configured for "Normal password", only for "Anonymous". Always doing so is too opportunistic, and prevents me from logging in if the server even ADVERTISES anonymous auth being allowed, which is quite harsh, given I don't think there is any workaround besides using a different SFTP client.
I have noticed some SSH clients seem to have similar bugs, too, but not all of them do - in particular, I think PuTTY is affected by this "bug" as well, and I seem to recall FileZilla using some code related to that for the base SSH functionality (stuff not related to the SFTP subsystem in the SSH protocol), so maybe that's why, but wanted to check this out with somebody that would know for sure!
This is for SFTP only.
When configured for Normal username/password, if the SFTP server offers "anonymous authentication" as an option, then FileZilla will just do that and not authenticate to the server. This then forces the guest view rather than being properly authenticated as configured in Site Manager.
If the server doesn't offer anonymous authentication, then it works as expected, it authenticates with the provided credential.
I realize that FileZilla is probably detecting anonymous auth availability and it would make sense to choose that generally speaking, but I don't think it should do this when configured for "Normal password", only for "Anonymous". Always doing so is too opportunistic, and prevents me from logging in if the server even ADVERTISES anonymous auth being allowed, which is quite harsh, given I don't think there is any workaround besides using a different SFTP client.
I have noticed some SSH clients seem to have similar bugs, too, but not all of them do - in particular, I think PuTTY is affected by this "bug" as well, and I seem to recall FileZilla using some code related to that for the base SSH functionality (stuff not related to the SFTP subsystem in the SSH protocol), so maybe that's why, but wanted to check this out with somebody that would know for sure!