Getting 'Permission denied (password).' when doing multi-factor authentication (key and password) in SSH.NET

Question

I know this question has already been asked on other posts, but I couldn't find any satisfying answer.

I'm using the Renci.SSH (SSH.NET version 2016.1.0 in C#) to connect to SFTP. I have an SFTP server which I connect using an SSH key and password.

When I connect through WinSCP on my computer, it works perfectly. I would like to do the same from my C# code but I get:

Renci.SshNet.Common.SshAuthenticationException: 'Permission denied (password).'

My PPP file was generated by PuTTYgen and it seems that Renci.SSH doesn't support PuTTY format. Actually, using the ppk file as it is, I get a:

Renci.SshNet.Common.SshException: 'Invalid private key file.'.

So, I had to convert my .ppk to OpenSSH format using the PuTTY key generator Conversions --> Export OpenSSH Key using RSA.

Here bellow an example of the resulting .ppk file:

Then I connect to the SFTP server as follow:

private static void CreateSftpSession(FtpConnectionSettings settings, Action<IFtpSession> onSessionOpen)
{

    var methods = new List<AuthenticationMethod>();
    methods.Add(new PasswordAuthenticationMethod(settings.UserName, settings.UserPassword));

    if (!string.IsNullOrEmpty(settings.PrivateKeyPath))
    {
        var keyFiles = new[] { new PrivateKeyFile(settings.PrivateKeyPath) };
        methods.Add(new PrivateKeyAuthenticationMethod(settings.UserName, keyFiles));
    }

    var connectionInfo = new ConnectionInfo(settings.Host, settings.Port, settings.UserName, methods.ToArray());

    using (SftpClient sftpClient = new SftpClient(connectionInfo))
    {

        SftpSession sftpSession = new SftpSession(sftpClient);
        sftpClient.Connect();
        onSessionOpen(sftpSession);
        sftpClient.Disconnect();
    }
}

At the call of sftpClient.Connect(), the exception is thrown.

Do you see anything wrong in what I'm doing?

Thanks a lot for your help

Here below the log of a successful WinSCP connection as requested:

. 2019-12-10 14:54:45.922 -------------------------------------------------------------------------- . 2019-12-10 14:54:45.922 WinSCP Version 5.15.9 (Build 10071) (OS 10.0.17763 - Windows 10 Enterprise) . 2019-12-10 14:54:45.922 Configuration: HKCU\Software\Martin Prikryl\WinSCP 2\ . 2019-12-10 14:54:45.922 Log level: Normal . 2019-12-10 14:54:45.922 Local account: XXXX\xxx . 2019-12-10 14:54:45.922 Working directory: C:\Program Files (x86)\WinSCP . 2019-12-10 14:54:45.922 Process ID: 20716 . 2019-12-10 14:54:45.923 Command-line: "C:\Program Files (x86)\WinSCP\WinSCP.exe" . 2019-12-10 14:54:45.923 Time zone: Current: GMT+1, Standard: GMT+1 (W. Europe Standard Time), DST: GMT+2 (W. Europe Daylight Time), DST Start: 3/31/2019, DST End: 10/27/2019 . 2019-12-10 14:54:45.923 Login time: Tuesday, December 10, 2019 2:54:45 PM . 2019-12-10 14:54:45.923 -------------------------------------------------------------------------- . 2019-12-10 14:54:45.923 Session name: my_ftp_user@my_ftp_host.com (Site) . 2019-12-10 14:54:45.923 Host name: my_ftp_host.com (Port: 6671) . 2019-12-10 14:54:45.924 User name: my_ftp_user (Password: Yes, Key file: Yes, Passphrase: No) . 2019-12-10 14:54:45.924 Tunnel: No . 2019-12-10 14:54:45.924 Transfer Protocol: SFTP (SCP) . 2019-12-10 14:54:45.924 Ping type: Off, Ping interval: 30 sec; Timeout: 15 sec . 2019-12-10 14:54:45.924 Disable Nagle: No . 2019-12-10 14:54:45.924 Proxy: None . 2019-12-10 14:54:45.924 Send buffer: 262144 . 2019-12-10 14:54:45.924 SSH protocol version: 2; Compression: No . 2019-12-10 14:54:45.924 Bypass authentication: No . 2019-12-10 14:54:45.924 Try agent: Yes; Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: Yes . 2019-12-10 14:54:45.924 GSSAPI: Forwarding: No; Libs: gssapi32,sspi,custom; Custom: . 2019-12-10 14:54:45.924 Ciphers: aes,chacha20,blowfish,3des,WARN,arcfour,des; Ssh2DES: No . 2019-12-10 14:54:45.924 KEX: ecdh,dh-gex-sha1,dh-group14-sha1,rsa,WARN,dh-group1-sha1 . 2019-12-10 14:54:45.924 SSH Bugs: Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto,Auto . 2019-12-10 14:54:45.924 Simple channel: Yes . 2019-12-10 14:54:45.924 Return code variable: Autodetect; Lookup user groups: Auto . 2019-12-10 14:54:45.924 Shell: default . 2019-12-10 14:54:45.924 EOL: LF, UTF: Auto . 2019-12-10 14:54:45.924 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes; Follow directory symlinks: No . 2019-12-10 14:54:45.924 LS: ls -la, Ign LS warn: Yes, Scp1 Comp: No; Exit code 1 is error: No . 2019-12-10 14:54:45.924 SFTP Bugs: Auto,Auto . 2019-12-10 14:54:45.924 SFTP Server: default . 2019-12-10 14:54:45.924 Local directory: \xxxx.xxx\xxx\RFs\xxx\Documents, Remote directory: /log, Update: Yes, Cache: Yes . 2019-12-10 14:54:45.924 Cache directory changes: Yes, Permanent: Yes . 2019-12-10 14:54:45.924 Recycle bin: Delete to: No, Overwritten to: No, Bin path: . 2019-12-10 14:54:45.924 DST mode: Unix . 2019-12-10 14:54:45.924 -------------------------------------------------------------------------- . 2019-12-10 14:54:45.965 Looking up host "my_ftp_host.com" for SSH connection . 2019-12-10 14:54:45.999 Connecting to 64.209.89.13 port 6671 . 2019-12-10 14:54:46.103 We claim version: SSH-2.0-WinSCP_release_5.15.9 . 2019-12-10 14:54:46.206 Server version: SSH-2.0-SSHD . 2019-12-10 14:54:46.206 Using SSH protocol version 2 . 2019-12-10 14:54:46.206 Have a known host key of type rsa2 . 2019-12-10 14:54:46.206 Doing Diffie-Hellman group exchange . 2019-12-10 14:54:46.701 Doing Diffie-Hellman key exchange with hash SHA-256 . 2019-12-10 14:54:47.496 Host key fingerprint is: . 2019-12-10 14:54:47.496 ssh-rsa 2048 bc:37:d9:2a:15:93:3c:a6:a0:e9:88:5e:86:81:8d:43 mxhRidA9vIdsw+hmLZfFnLI/0BujM3kjJPrH5no9wGI= . 2019-12-10 14:54:47.503 Host key matches cached key . 2019-12-10 14:54:47.503 Initialised AES-256 SDCTR client->server encryption . 2019-12-10 14:54:47.503 Initialised HMAC-SHA1 client->server MAC algorithm . 2019-12-10 14:54:47.503 Initialised AES-256 SDCTR server->client encryption . 2019-12-10 14:54:47.503 Initialised HMAC-SHA1 server->client MAC algorithm . 2019-12-10 14:54:47.707 Reading key file "C:\Temp\AttribByStrategy\My_PrivateKey_wopp.ppk" . 2019-12-10 14:54:47.708 Pageant is running. Requesting keys. . 2019-12-10 14:54:47.708 Pageant has 0 SSH-2 keys . 2019-12-10 14:54:47.708 Configured key file not in Pageant ! 2019-12-10 14:54:47.708 Using username "my_ftp_user". . 2019-12-10 14:54:58.649 Server offered these authentication methods: password,publickey,keyboard-interactive . 2019-12-10 14:54:58.649 Offered public key . 2019-12-10 14:54:58.758 Offer of public key accepted ! 2019-12-10 14:54:58.758 Authenticating with public key "rsa-key-20140520" . 2019-12-10 14:54:58.878 Sent public key signature ! 2019-12-10 14:54:58.981 Further authentication required . 2019-12-10 14:54:59.007 Further authentication required . 2019-12-10 14:54:59.007 Server offered these authentication methods: password,keyboard-interactiveÀí½œt»Yªâ…©xÐ¾ñs€ç‘ð¾€Ó . 2019-12-10 14:54:59.007 Attempting keyboard-interactive authentication . 2019-12-10 14:54:59.110 Prompt (keyboard interactive, "SSH server: Password Authentication", "Using keyboard-interactive authentication.", "Password: ") . 2019-12-10 14:54:59.110 Using stored password. . 2019-12-10 14:54:59.295 Access granted . 2019-12-10 14:54:59.295 Opening session as main channel . 2019-12-10 14:54:59.397 Opened main channel . 2019-12-10 14:54:59.641 Started a shell/command . 2019-12-10 14:54:59.668 -------------------------------------------------------------------------- . 2019-12-10 14:54:59.668 Using SFTP protocol. . 2019-12-10 14:54:59.668 Doing startup conversation with host.

2019-12-10 14:54:59.684 Type: SSH_FXP_INIT, Size: 5, Number: -1 < 2019-12-10 14:54:59.786 Type: SSH_FXP_VERSION, Size: 33, Number: -1 . 2019-12-10 14:54:59.786 SFTP version 3 negotiated. . 2019-12-10 14:54:59.786 Unknown server extension [email protected]="\n" . 2019-12-10 14:54:59.786 We believe the server has signed timestamps bug . 2019-12-10 14:54:59.786 We will use UTF-8 strings until server sends an invalid UTF-8 string as with SFTP version 3 and older UTF-8 strings are not mandatory . 2019-12-10 14:54:59.786 Changing directory to "/log". . 2019-12-10 14:54:59.786 Getting real path for '/log' 2019-12-10 14:54:59.786 Type: SSH_FXP_REALPATH, Size: 13, Number: 16 < 2019-12-10 14:54:59.897 Type: SSH_FXP_NAME, Size: 49, Number: 16 . 2019-12-10 14:54:59.897 Real path is '/log' . 2019-12-10 14:54:59.897 Trying to open directory "/log". 2019-12-10 14:54:59.897 Type: SSH_FXP_LSTAT, Size: 13, Number: 263 < 2019-12-10 14:55:00.003 Type: SSH_FXP_ATTRS, Size: 29, Number: 263 . 2019-12-10 14:55:00.004 Getting current directory name. . 2019-12-10 14:55:00.073 Listing directory "/log". 2019-12-10 14:55:00.073 Type: SSH_FXP_OPENDIR, Size: 13, Number: 523 < 2019-12-10 14:55:00.184 Type: SSH_FXP_HANDLE, Size: 10, Number: 523 2019-12-10 14:55:00.184 Type: SSH_FXP_READDIR, Size: 10, Number: 780 < 2019-12-10 14:55:00.286 Type: SSH_FXP_NAME, Size: 205, Number: 780 2019-12-10 14:55:00.286 Type: SSH_FXP_READDIR, Size: 10, Number: 1036 < 2019-12-10 14:55:00.388 Type: SSH_FXP_STATUS, Size: 17, Number: 1036 < 2019-12-10 14:55:00.388 Status code: 1 2019-12-10 14:55:00.388 Type: SSH_FXP_CLOSE, Size: 10, Number: 1284 . 2019-12-10 14:55:00.388 ..;d;0;2016-11-27T05:00:00.000Z;3;"2123" [2123];"2020" [2020];rwxr-xr-x;0 . 2019-12-10 14:55:00.436 Startup conversation with host finished.

Yes, but actually the password is there and correctly defined. I used it when I connect manually — Fede
So you really mean that you use multifactor authentication (both password and private key)? Doesn't you mistake account password with private key passphrase? — Martin Prikryl
Yes, I debugged the code to see if the variables are correctly defined. The file exists as it is the same I use form WinSCP from the same machine and user. And if the file was missing I would have a file not found exception. And the password is the account password and not the passphrase used to generate the key. I tried that also — Fede
Did you try putting the authentication methods in the order that WinSCP uses them? - the password after the key — Martin Prikryl
Hello Martin, that was exactly the problem. The order of the authentication methods in the methods List is important. I just added the PrivateKeyAuthenticationMethod before the PasswordAuthenticationMethod and it worked fine. Thanks a lot and well done! — Fede

Martin Prikryl Martin Prikryl · Accepted Answer · 2019-12-10T19:29:36

As seen in WinSCP log file, you should first authenticate with the private key and only then with the password:

2019-12-10 14:54:58.649 Server offered these authentication methods: password,publickey,keyboard-interactive
2019-12-10 14:54:58.649 Offered public key
2019-12-10 14:54:58.758 Offer of public key accepted
2019-12-10 14:54:58.758 Authenticating with public key "rsa-key-20140520"
2019-12-10 14:54:58.878 Sent public key signature
2019-12-10 14:54:59.007 Further authentication required
2019-12-10 14:54:59.007 Server offered these authentication methods: password,keyboard-interactive
2019-12-10 14:54:59.007 Attempting keyboard-interactive authentication
2019-12-10 14:54:59.110 Prompt (keyboard interactive, "SSH server: Password Authentication", "Using keyboard-interactive authentication.", "Password: ")
2019-12-10 14:54:59.110 Using stored password.

var methods = new List<AuthenticationMethod>();

if (!string.IsNullOrEmpty(settings.PrivateKeyPath))
{
    var keyFiles = new[] { new PrivateKeyFile(settings.PrivateKeyPath) };
    methods.Add(new PrivateKeyAuthenticationMethod(settings.UserName, keyFiles));
}

methods.Add(new PasswordAuthenticationMethod(settings.UserName, settings.UserPassword));

var connectionInfo =
    new ConnectionInfo(settings.Host, settings.Port, settings.UserName, methods.ToArray());

using (SftpClient sftpClient = new SftpClient(connectionInfo))
{
    // ...
}

See also Authentication with PPK key in SSH.NET.

Getting 'Permission denied (password).' when doing multi-factor authentication (key and password) in SSH.NET

1 Answers