Enable password login for SFTP while keeping authentication by SSH keys
How do I keep a password login enabled for SFTP transactions (made by Drupal, if this is important) while keeping it disabled for all other SSH key based authentications? Currently all the existing users of the CentOS server use keys to log in and /etc/ssh/sshd_config has PasswordAuthentication no
)?
Solution 1:
From what I gather you want to permit passwords from some users, but not others?
You could setup a Match
block. So your config might look something like below.
...
PasswordAuthentication no
...
Match user drupalsftp
PasswordAuthentication yes
Since you mentioned these password-based transactions are happening from drupal, perhaps you could whitelist based on the host address? Match address 127.0.0.1/32
You should even be able to combine the criteria, and say only a specific account from a specific address can do password authentication.
PasswordAuthentication no
...
Match user drupalsftp address 10.1.2.3/32
PasswordAuthentication yes
# also since we want only sftp
ForceCommand internal-sftp
Links
- https://www.freebsd.org/cgi/man.cgi?sshd_config(5) - See the 'Match' section
- https://www.freebsd.org/cgi/man.cgi?ssh_config(5) - See the 'patterns' section