8

How do I keep a password login enabled for SFTP transactions (made by Drupal, if this is important) while keeping it disabled for all other SSH key based authentications? Currently all the existing users of the CentOS server use keys to log in and /etc/ssh/sshd_config has PasswordAuthentication no)?

Dr NYU
  • 93
  • 1
  • 1
  • 7
  • You question is formulated wrong. There is no restriction on having both password & key authenticitication enabled. So enabling password login will not remove ability to authenticate by key. What you meant is probably how do I _disable_ password login for all users except those which need to do SFTP transactions. Please edit your question accordingly if you want to get an answer... – Anubioz Oct 04 '16 at 21:07
  • Sorry it was not clear. Edited. – Dr NYU Oct 04 '16 at 21:26
  • Thanks, I replaced downvote with an upvote. But beware, that enabling a user to access SFTP automatically enables them ability to use SSH. If that's not what you want, edit again :). Though i'd say keep it, since there is no difference to an attacker whether he is able to use SSH or just upload files into drupal - it provides basically the same capabilities... – Anubioz Oct 04 '16 at 21:42
  • 1
    Why aren't your users also using their keys to SFTP? – Michael Hampton Oct 04 '16 at 22:18
  • As I mentioned in another comment, all the users except for the one can and will have to use keys for all ssh connections. The one exception is for me, when I am applying updates from withing Drupal web interface. As disappointing as it is, Drupal gives you 2 options to upload the updates. FTP and SFTP, the later one has no options of supplying the key, just a password. – Dr NYU Oct 05 '16 at 04:37

3 Answers3

14

From what I gather you want to permit passwords from some users, but not others?
You could setup a Match block. So your config might look something like below.

...
PasswordAuthentication no
...
Match user drupalsftp
    PasswordAuthentication yes

Since you mentioned these password-based transactions are happening from drupal, perhaps you could whitelist based on the host address? Match address 127.0.0.1/32

You should even be able to combine the criteria, and say only a specific account from a specific address can do password authentication.

PasswordAuthentication no
...
Match user drupalsftp address 10.1.2.3/32
    PasswordAuthentication yes
    # also since we want only sftp
    ForceCommand internal-sftp

Links

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • 1
    It should be noted that enabling password authentication for a single user without also locking it down to a specific IP address is a bit risky. An attacker could brute force the username and use the ability to use password authentication to know when they have found the correct username. Once the attacker knows the username, they can start a brute force attack on the password. – kasperd Nov 30 '17 at 18:23
0

The SFTP is just a specific case of SSH session. Password login is enabled by default, if you have PasswordAuthentication yes or ChallengeResponseAuthentication yes in your /etc/ssh/sshd_config. Allowing password authentication does not block the key based authentication.

Jakuje
  • 9,145
  • 2
  • 40
  • 44
  • He probably means what can be achieved with restricted shell per user basis http://www.pizzashack.org/rssh/ – Anubioz Oct 04 '16 at 20:10
  • I had the password authentication disabled for all by default. However, I do want to use Drupal update functionality from within drupal and there's no option there to use the keys, just a password. I decided to create the user that is restricted to the home dir which I will point at the /Drupal_installation/files adding that user to a very restricted group (like apache or www-data), which will have a write access to those files and dirs. The files there now are owned by root:root I could not find any other option due to lack of experience. – Dr NYU Oct 04 '16 at 21:38
0

Head over to the file /etc/ssh/sshd_config, and change the following line :

PasswordAuthentication yes

Then restart sshd :

sudo service ssh restart

Mike Yang
  • 101
  • 2