Azure Enable Password Authentication
By default, SFTP Gateway disables password authentication because it is less secure than SSH key pair authentication. We highly recommend using SSH key pair authentication when possible. That being said, we also understand that in some circumstances it is necessary or more desirable to use password authentication. This article will walk you through the steps to enable password authentication on a per-user basis.
Enable self lookup on the directory service
If this is the first time you are consulting this article, you must modify the directory service user Access Control Instructions (ACI) to allow the user to do a self lookup during the PAM authentication process. The following ACI will allow the user to search and read their own LDAP entry.
Create the file that will be used to modify the LDAP entry with
nano /tmp/addaci.ldif(this will open the terminal text editor nano), and paste in the following:dn: ou=People,dc=sftpgateway,dc=com changetype: modify replace: aci aci: (targetattr = "*") (version 3.0; acl "Lookup own entry"; allow (search, read) userdn = "ldap:///self";)Save the file with ctrl-o then enter
Exit the nano text editor with ctrl-x
Retrieve the LDAP admin password and store it in a variable to use later
ldappassword=$(sudo grep spring.ldap.password /opt/sftpgw/application.properties | cut -d'=' -f2)Add the new ACI to the LDAP tree with the following command:
ldapmodify -D cn=admin -w $ldappassword -f /tmp/addaci.ldif
From this point forward, any user added to the directory service will be able to look up their own LDAP entry during
the authentication process. The addaci.ldif file is no longer needed and can be deleted with the following command:
rm /tmp/addaci.ldif
Enable password authentication for a single user
Note: If you are looking to add passwords to multiple users at one time please see Add multiple passwords at once
To assign a password to a user, that user must first exist in the directory service. Once a user has been created with either the web admin interface, CLI, or API, a password can be added to the user's LDAP entry with the following steps.
Retrieve the LDAP admin password and store it in a variable to use later
ldappassword=$(sudo grep spring.ldap.password /opt/sftpgw/application.properties | cut -d'=' -f2)Create an LDIF file that will be used to add the user's password with
nano /tmp/addpassword.ldif, paste in the following, and replace thebelow with your own. (Note: the password can be entered as plain text and it will be hashed before it is stored in the directory service.) dn: uid=<username>,ou=People,dc=sftpgateway,dc=com changeType: modify replace: userPassword userPassword: <new_password>Add user's password to the directory service
ldapmodify -D cn=admin -w $ldappassword -f /tmp/addpassword.ldifEnable password authentication for the user with
sudo nano /etc/ssh/sshd_config, and add the following lines to the end of the file.Match user <username> PasswordAuthentication yesSave the file with ctrl-o then Enter
Exit nano with ctrl-x
Restart sshd service so the changes to the configuration file will be applied.
sudo systemctl restart ssh
Now that specific user will be able to log onto the server using password authentication. If an SSH public key was assigned to the user at the time of creation, then the user will be able to use either the corresponding ssh private key or the password to login to the server.
Enable password authentication for multiple users at once
If you have multiple users that need password authentication, you can enable this feature for all users at one time. All users will have to exist in the directory service before you can add their passwords. So you should first add all users to the server with the Web interface, CLI, or API, then follow the instructions below to add their passwords to their LDAP entries.
Retrieve the LDAP admin password and store it in a variable to use later
ldappassword=$(sudo grep spring.ldap.password /opt/sftpgw/application.properties | cut -d'=' -f2)Create an LDIF file that will be used to add the user's passwords with
nano /tmp/addpassword.ldif, paste in the following, and replace thebelow with your own. (Note: the password can be entered as plain text and it will be hashed before it is stored in the directory service.) dn: uid=<username>,ou=People,dc=sftpgateway,dc=com changeType: modify replace: userPassword userPassword: <new_password> dn: uid=<username2>,ou=People,dc=sftpgateway,dc=com changeType: modify replace: userPassword userPassword: <new_password2> # This can be repeated for as many passwords as you would like to add at 1 time.Add password to the user's in the directory service
ldapmodify -D cn=admin -w $ldappassword -f /tmp/addpassword.ldifEnable password authentication for those users with
sudo nano /etc/ssh/sshd_config, and add the following lines to the end of the file for each user.Match user <username> PasswordAuthentication yesSave the file with ctrl-o then Enter
Exit nano with ctrl-x
Restart sshd service so the changes to the configuration file will be applied
sudo systemctl restart ssh
Now those specific users will be able to log onto the server using password authentication. If an SSH public key was assigned to those users at the time of creation, then those users will be able to use either the corresponding ssh private key or the password to login to the server.
SSHD_config formats
There are two ways in which you can enable password authentication in the sshd_config file. Each as their own benefits and drawbacks.
You can append the following line to the sshd_config file for each user.
Match user username PasswordAuthentication yes- This method is the easiest for programmatically adding these lines to the file. The lines can be appended to the
file with something as simple as:
echo "Match user username\nPasswordAuthentication yes" >> /etc/sshd/sshd_config - This method can make your sshd_config file bulky and hard to search through manually.
- This method is the easiest for programmatically adding these lines to the file. The lines can be appended to the
file with something as simple as:
You can add users to the match block as a comma-separated list.
Match user username1,username2 PasswordAuthentication yesThis is the easiest way to add users to this file manually. Note that there is no space between the comma and the next username.
This method keeps the sshd_config file succinct and requires the least amount of typing.
It is much more difficult to modify an existing line in a file programmatically.
With either of these cases, the sshd service will need to be restarted for the change to take effect.
sudo systemctl restart ssh
Password helper script
To help simplify the password update process, here is a helper script you can create.
First, create the script and make it executable:
sudo su
cd /usr/local/bin
touch set-password-helper-script.sh
chmod +x set-password-helper-script.sh
Next, paste in the following contents:
#!/bin/bash
while [[ $# -gt 0 ]]; do
key="$1"
case $key in
help)
usage
shift
shift
;;
-u|--user) SFTP_USER="$2"
shift # past argument
shift # past value
;;
-p|--password) THE_PASSWORD="$2"
shift # past argument
shift # past value
;;
esac
done
function usage {
echo "Usage: $0 --user testuser [ --password <your password> ]" exit 0
}
if [[ -z ${SFTP_USER} ]]; then
usage
fi
LOCAL_SECRET_ACCESS_KEY=$(sudo grep ldap.password /opt/sftpgw/application.properties | cut -d'=' -f2)
if [[ -n "$THE_PASSWORD" ]]; then
NEW_PASSWORD="${THE_PASSWORD}"
else
NEW_PASSWORD=$(head /dev/urandom | tr -dc A-Z0-9 | head -c 12 ; echo '')
fi
ldapmodify -D "cn=admin" -w ${LOCAL_SECRET_ACCESS_KEY} <<HERE
dn: uid=${SFTP_USER},ou=People,dc=sftpgateway,dc=com
changetype: modify
replace: userPassword
userPassword: ${NEW_PASSWORD}
HERE
echo "The password for ${SFTP_USER} has been set to ${NEW_PASSWORD}"
To run the script, pass in the username (and optionally, a password).
/usr/local/bin/set-password-helper-script.sh -u <username> [ -p <password> ]
If you don't specify a password, it will generate one for you.