How do I keep a password login enabled for SFTP transactions (made by Drupal, if this is important) while keeping it disabled for all other SSH key based authentications? Currently all the existing users of the CentOS server use keys to log in and /etc/ssh/sshd_config has PasswordAuthentication no)?
Asked
Active
Viewed 3.3k times
12
Dr NYU
- 133
3 Answers
20
From what I gather you want to permit passwords from some users, but not others?
You could setup a Match block. So your config might look something like below.
...
PasswordAuthentication no
...
Match user drupalsftp
PasswordAuthentication yes
Since you mentioned these password-based transactions are happening from drupal, perhaps you could whitelist based on the host address? Match address 127.0.0.1/32
You should even be able to combine the criteria, and say only a specific account from a specific address can do password authentication.
PasswordAuthentication no
...
Match user drupalsftp address 10.1.2.3/32
PasswordAuthentication yes
# also since we want only sftp
ForceCommand internal-sftp
Links
- https://www.freebsd.org/cgi/man.cgi?sshd_config(5) - See the 'Match' section
- https://www.freebsd.org/cgi/man.cgi?ssh_config(5) - See the 'patterns' section
Zoredache
- 133,737
0
The SFTP is just a specific case of SSH session. Password login is enabled by default, if you have PasswordAuthentication yes or ChallengeResponseAuthentication yes in your /etc/ssh/sshd_config. Allowing password authentication does not block the key based authentication.
Jakuje
- 10,363
-1
Head over to the file /etc/ssh/sshd_config, and change the following line :
PasswordAuthentication yes
Then restart sshd :
sudo service ssh restart
Mike Yang
- 99