I'm designing a windows client application that will retrieve files from an SFTP server. I would like to avoid forcing users to supply credentials on the client application – rather, their Windows credentials would be supplied to the server which would then authenticate and provide access to the appropriate resources.
It seems that the SFTP servers on the market will allow either certificate authentication or password authentication. If a certificate is supplied, no password is necessary. Otherwise the user will need to enter a password.
The issue with using certificate authentication, as far as I can tell, is that we would need to manage users (create, delete, etc.) within the application itself, rather than relying on Active Directory. This adds additional administration complexity to our already complex environment.
Does anyone know of either:
A) An SFTP server solution that will meet my requirements
or
B) Another approach that I could use to centralize user management in AD while still allowing SSO on an SFTP server?
Best Answer
You can integrate OpenSSH with Kerberos if you want to run OpenSSH on a Linux box: http://port25.technet.com/archive/2008/06/06/technical-analysis-openssh-on-linux-using-windows-kerberos-for-authentication.aspx
I'm not finding good docs about Kerberos intergration with OpenSSH on Windows (via cygwin). I'd love to hear from somebody who might've done this.