Enable password login for SFTP while keeping authentication by SSH keys

ssh authentication sftp drupal7
21,220

From what I gather you want to permit passwords from some users, but not others?
You could setup a Match block. So your config might look something like below.

...
PasswordAuthentication no
...
Match user drupalsftp
    PasswordAuthentication yes

Since you mentioned these password-based transactions are happening from drupal, perhaps you could whitelist based on the host address? Match address 127.0.0.1/32

You should even be able to combine the criteria, and say only a specific account from a specific address can do password authentication.

PasswordAuthentication no
...
Match user drupalsftp address 10.1.2.3/32
    PasswordAuthentication yes
    # also since we want only sftp
    ForceCommand internal-sftp

Links

Share:
21,220

Related videos on Youtube

Dr NYU
Author by

Dr NYU

Dentist during a day. Linux as a hobby.

Updated on September 18, 2022

Comments

  • Dr NYU
    Dr NYU over 1 year

    How do I keep a password login enabled for SFTP transactions (made by Drupal, if this is important) while keeping it disabled for all other SSH key based authentications? Currently all the existing users of the CentOS server use keys to log in and /etc/ssh/sshd_config has PasswordAuthentication no)?

    • Anubioz
      Anubioz over 7 years
      You question is formulated wrong. There is no restriction on having both password & key authenticitication enabled. So enabling password login will not remove ability to authenticate by key. What you meant is probably how do I disable password login for all users except those which need to do SFTP transactions. Please edit your question accordingly if you want to get an answer...
    • Dr NYU
      Dr NYU over 7 years
      Sorry it was not clear. Edited.
    • Anubioz
      Anubioz over 7 years
      Thanks, I replaced downvote with an upvote. But beware, that enabling a user to access SFTP automatically enables them ability to use SSH. If that's not what you want, edit again :). Though i'd say keep it, since there is no difference to an attacker whether he is able to use SSH or just upload files into drupal - it provides basically the same capabilities...
    • Michael Hampton
      Michael Hampton over 7 years
      Why aren't your users also using their keys to SFTP?
    • Dr NYU
      Dr NYU over 7 years
      As I mentioned in another comment, all the users except for the one can and will have to use keys for all ssh connections. The one exception is for me, when I am applying updates from withing Drupal web interface. As disappointing as it is, Drupal gives you 2 options to upload the updates. FTP and SFTP, the later one has no options of supplying the key, just a password.
  • Dr NYU
    Dr NYU over 7 years
    I had the password authentication disabled for all by default. However, I do want to use Drupal update functionality from within drupal and there's no option there to use the keys, just a password. I decided to create the user that is restricted to the home dir which I will point at the /Drupal_installation/files adding that user to a very restricted group (like apache or www-data), which will have a write access to those files and dirs. The files there now are owned by root:root I could not find any other option due to lack of experience.
  • kasperd
    kasperd over 6 years
    It should be noted that enabling password authentication for a single user without also locking it down to a specific IP address is a bit risky. An attacker could brute force the username and use the ability to use password authentication to know when they have found the correct username. Once the attacker knows the username, they can start a brute force attack on the password.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to connect to SFTP in FileZilla using a private key
Script to get file from SFTP and run it
How do I use my keyfile to sftp transfer data from one server to another
SFTP server on Windows using LDAP for authentication
Transfer files using SFTP and either PHP or shell/terminal script
Download one specific file from SFTP server using SSH.NET
Rename file while using SFTP to append date
ssh_dispatch_run_fatal no matching key exchange method found (on Zend Studio Remote Connection)
How to Send File over secure FTP SSL Protocol
unable to connect to the aws ec2 instance,Host key verification failed