Traversio
Authentication

Password Authentication

Password authentication in Traversio and its practical limits.

Public Method

Traversio exposes password authentication through:

.password(String)
.passwordWithChangeResponse(password:responseProvider:)

.password(String) is the simplest authentication path in the public API. .passwordWithChangeResponse(password:responseProvider:) adds an async callback for servers that require a password update during authentication.

End-to-End Example

import Traversio

func connectWithPassword(secret: String) async throws {
    let configuration = SSHClientConfiguration(
        host: "example.com",
        username: "deploy",
        authentication: .password(secret),
        hostKeyPolicy: .knownHostsFile("/Users/me/.ssh/known_hosts")
    )

    try await SSHClient.withConnection(configuration: configuration) { connection in
        let result = try await connection.execute("whoami")
        print(String(decoding: result.standardOutput, as: UTF8.self))
    }
}

Request Flow

For the password path, Traversio:

  1. requests the ssh-userauth service
  2. sends the SSH password auth request
  3. collects banners if the server sends them
  4. returns success or failure through the connection API

If the server asks for a password change and the authentication method is .passwordWithChangeResponse(...), Traversio calls the response provider with SSHPasswordChangeChallenge and then sends the old and new passwords in the SSH password-change request.

If the authentication method is .password(String), Traversio surfaces SSHClientError.passwordChangeRequired(prompt:languageTag:banners:).

Other connection-setup failures surface through SSHClientError.connectionFailed(...), which includes the failing stage plus transport / negotiation diagnostics when available.

Good Fits

  • simple admin or automation environments where password auth is already expected
  • first bring-up while host-trust and command execution are the main things you want to validate
  • compatibility situations where key-based auth is not available yet

Limits

The password path is public and tested, with a focused scope:

  • no built-in secret storage
  • no retry helper or interactive prompt UI
  • failures surface through the same public connection-error diagnostics as other connection setup paths

If you need a challenge-response flow driven by multiple prompts, use Keyboard-Interactive Authentication.

Host Key Trust

Choose a host-key policy and understand the supported trust models.

Public-Key Authentication

Ed25519, RSA, and ECDSA public-key authentication, including raw-key, OpenSSH key-loading, SSH agent, and OpenSSH key-generation paths.

On this page

Public MethodEnd-to-End ExampleRequest FlowGood FitsLimits