This is handled correctly by SFTP without any special commands or configuration.

Could you please share what exactly was being addressed by the override

As I toll you in my previous post, PreferredAuthentications is overriden in order to have a more controlled authentication process. Once ssh is launched there is no generic, reliable way to detect that authentication has succeeded and that the SFTP protocol can go on.

For instance, one case that we have to handle is when the user wants to perform password authentication but for some reason it has also a proper authorized key. With the default PreferredAuthentication, ssh authenticates using the key and never goes to request the password, while Net::SFTP::Foreign hangs there waiting for the password prompt to appear.

For your particular case, if you just use a convenient value for PreferredAuthentication, doesn't it work? For instance:

my $sftp = Net::SFTP::Foreign->new($host,
                                   user => $user, password => $passwor
+d,
                                   more => [-o => 'PreferredAuthentica
+tion=publickey,password']);
[download]

In any case, note that if you pass a password to the constructor it will wait for the password prompt to appear, and if it authenticates by other method it will hang there until the timeout expires and then it will close the connection and return an error.

If what you need is optional password authentication, it is better to go looking into my other module Net::OpenSSH (which can be used with Net::SFTP::Foreign). It doesn't support that feature yet, but it could be done reliably there.

I probably don't understand the nuances of ssh with sftp subsystem vs the sftp command but it seems to me that the sftp command somehow knows what needs to happen irrespective of us passing the password automatically or not. It knows when Authentication is complete and when it isn't since it knows when to wait and when to provide a working prompt to the user.

I can't hardcode the PreferredAuthentication since it is host specific and we do have a properly configured .ssh/config file with the appropriate Host specific overrides. It seems to me to get my setup working I will have to read the config file and figure out what the PreferredAuthentication is supposed to be for each Host which somehow feels like a wrong thing to do.

At this point I have no intention of using the password option since keyboard-interactive + publickey seems to cover every scenario that I am encountering - I will see how it goes by using a Unix.pm without the PreferredAuthentication override.

I can't hardcode the PreferredAuthentication since it is host specific and we do have a properly configured .ssh/config file with the appropriate Host specific overrides.

PreferredAuthentication is usually quite unimportant, as long as you include all the authentication schemes that could be required by the server it should work. There is no need to match exactly the server configuration there.

What do you get from the following command?

grep -i preferredauthentications ~/.ssh/config | sort -u
[download]

For Net::SFTP::Foreign, the important thing is knowing which servers require password authentication and which one don't.

$ sftp -v -oPort=xxxx xxxxxx@sft.statestreet.com
Connecting to sft.statestreet.com...
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /xxx/.ssh/config
debug1: Applying options for sft.statestreet.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to sft.statestreet.com [192.250.167.3] port xxxx.
debug1: Connection established.
debug1: identity file /xxx/.ssh/id_rsa type 1
debug1: identity file /xxx/.ssh/id_dsa type 2
debug1: loaded 2 keys
debug1: Remote protocol version 2.0, remote software version SSHD
debug1: no match: SSHD
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug1: kex: client->server aes128-cbc hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'sft.statestreet.com' is known and matches the RSA host k
+ey.
debug1: Found key in /xxx/.ssh/known_hosts:173
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
***ATTENTION!! ATTENTION!! ATTENTION!!*** We recommend that all client
+s use the most reliable and secure client software. You should work w
+ith your client relationship contact as soon as possible if you are c
+urrently using: 1. All versions of FDX client for all operating syste
+ms 2. All versions of Tumbleweed ST Client (4.1.2, 4.2, 4.5.x) Reques
+ts to replace this with supported Axway SecureClient software version
+ 6.1 can be generated by your client relationship contact, and the IB
+M Data Transport team can work with you to ensure a correct install i
+s in place. Documentation for the new software will be provided with 
+install packages. ***ATTENTION!! ATTENTION!! ATTENTION!!***
debug1: Authentications that can continue: password,publickey,keyboard
+-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /xxx/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: read PEM private key done: type RSA
Authenticated with partial success.
debug1: Authentications that can continue: password,publickey,keyboard
+-interactive
debug1: Offering public key: /xxx/.ssh/id_dsa
debug1: Authentications that can continue: password,publickey,keyboard
+-interactive
debug1: Next authentication method: keyboard-interactive
Password Authentication
Password:
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LC_ALL = C
debug1: Sending subsystem: sftp
[download]