SFTP Gateway Support

1.0.0

AWS SFTP Gateway 2.0 Enable password login

Note: This page applies to SFTP Gateway version 2.x. Visit Here for documentation on version 3.x.

By default, SFTP users are configured to log in using SSH keys. This is more secure than passwords, which are transmitted over the wire, and are easier to brute force -- especially if set without complexity requirements.

Although we don't recommend it, there are times when you need to enable password authentication. This article describes how to do so.

Set user password in directory service

  1. Create a user via the web interface for user management.

  2. SSH into the EC2 instance, and elevate privileges to root:

    sudo su

  3. Set some bash variables, replacing the values below with your own. (Note: there are no spaces next to the equal sign)

    SFTP_USER=bob
NEW_PASSWORD=<your password>

  4. Reset the user's password by pasting in the following code. It grabs admin credentials from a conf file, and then resets the user's LDAP password:

    LOCAL_SECRET_ACCESS_KEY=$(grep spring.ldap.password /opt/sftpgw/application.properties | cut -d'=' -f2)
ldappasswd -x -D "cn=admin" -w ${LOCAL_SECRET_ACCESS_KEY} -S "uid=${SFTP_USER},ou=people,dc=sftpgateway,dc=com" -s "${NEW_PASSWORD}" -ZZ

Enable password authentication for user

  1. Edit the file /etc/ssh/sshd_config. This controls settings for SSH.

  2. On line 84, change ChallengeResponseAuthentication to yes

    # Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

  3. Add the following text at the very end of the file:

    Match User bob
PasswordAuthentication yes

  4. Save the sshd_config file.

  5. Restart SSH: sudo service sshd restart. Note: if you're running a multi instance setup, see this page for details on how to send commands to multiple EC2 instances.

User "bob" should now be able to sftp using a password

$ sftp bob@52.202.XXX.XXX
bob@52.202.XXX.XXX's password:
Connected to 52.202.XXX.XXX.
sftp> pwd
Remote working directory: /home/bob
sftp> bye

Password helper script

To help simplify the password update process, here is a helper script you can create.

First, create the script and make it executable:

sudo su
cd /usr/local/bin
touch set-password-helper-script.sh
chmod +x set-password-helper-script.sh

Next, paste in the following contents:

#!/bin/bash

while [[ $# -gt 0 ]]; do
  key="$1"
  case $key in
    help)
      usage
      shift
      shift
      ;;
    -u|--user) SFTP_USER="$2"
      shift # past argument
      shift # past value
      ;;
    -p|--password) THE_PASSWORD="$2"
      shift # past argument
      shift # past value
      ;;
  esac
done

function usage {
  echo "Usage: $0 --user testuser [ --password <your password> ]" exit 0
}

if [[ -z ${SFTP_USER} ]]; then
  usage
fi

LOCAL_SECRET_ACCESS_KEY=$(sudo grep ldap.password /opt/sftpgw/application.properties | cut -d'=' -f2)

if [[ -n "$THE_PASSWORD" ]]; then
  NEW_PASSWORD="${THE_PASSWORD}"
else
  NEW_PASSWORD=$(head /dev/urandom | tr -dc A-Z0-9 | head -c 12 ; echo '')
fi

ldapmodify -D "cn=admin" -w ${LOCAL_SECRET_ACCESS_KEY} <<HERE
dn: uid=${SFTP_USER},ou=People,dc=sftpgateway,dc=com
changetype: modify
replace: userPassword
userPassword: ${NEW_PASSWORD}
HERE

echo "The password for ${SFTP_USER} has been set to ${NEW_PASSWORD}"

To run the script, pass in the username (and optionally, a password).

/usr/local/bin/set-password-helper-script.sh -u <username> [ -p <password> ]

If you don't specify a password, it will generate one for you.

SFTP Gateway 2.0 Usage Instructions AMISFTP Gateway 2.0 External LDAP Integration