By default, SFTP Gateway disables password authentication because it is less secure than SSH key pair authentication. We highly recommend using SSH key pair authentication when possible. That being said, we also understand that in some circumstances it is necessary or more desirable to use password authentication. This article will walk you through the steps to enable password authentication on a per-user basis.

Enable self lookup on the directory service


If this is the first time you are consulting this article, you must modify the directory service user Access Control Instructions (ACI) to allow the user to do a self lookup during the PAM authentication process. The following ACI will allow the user to search and read their own LDAP entry.

  1. Create the file that will be used to modify the LDAP entry with nano /tmp/addaci.ldif (this will open the terminal text editor nano), and paste in the following:
    dn: ou=People,dc=sftpgateway,dc=com
    changetype: modify
    replace: aci
    aci: (targetattr = "*") (version 3.0; acl "Lookup own entry"; allow (search, read) userdn = "ldap:///self";)
    
  2. Save the file with ctrl-o then enter
  3. Exit the nano text editor with ctrl-x
  4. Retrieve the LDAP admin password and store it in a variable to use later
    ldappassword=$(sudo grep spring.ldap.password /opt/sftpgw/application.properties | cut -d'=' -f2)
    
  5. Add the new ACI to the LDAP tree with the following command:
    ldapmodify -D cn=admin -w $ldappassword -f /tmp/addaci.ldif
    

From this point forward, any user added to the directory service will be able to look up their own LDAP entry during the authentication process. The addaci.ldif file is no longer needed and can be deleted with the following command:

rm /tmp/addaci.ldif

Enable password authentication for a single user


Note: If you are looking to add passwords to multiple users at one time please see Add multiple passwords at once

To assign a password to a user, that user must first exist in the directory service. Once a user has been created with either the web admin interface, CLI, or API, a password can be added to the user's LDAP entry with the following steps.

  1. Retrieve the LDAP admin password and store it in a variable to use later
    ldappassword=$(sudo grep spring.ldap.password /opt/sftpgw/application.properties | cut -d'=' -f2)
    
  2. Create an LDIF file that will be used to add the user's password with nano /tmp/addpassword.ldif, paste in the following, and replace the <values> below with your own. (Note: the password can be entered as plain text and it will be hashed before it is stored in the directory service.)
    dn: uid=<username>,ou=People,dc=sftpgateway,dc=com
    changeType: modify
    replace: userPassword
    userPassword: <new password>
    
  3. Add user's password to the directory service
    ldapmodify -D cn=admin -w $ldappassword -f /tmp/addpassword.ldif
    
  4. Enable password authentication for the user with sudo nano /etc/ssh/sshd_config, and add the following lines to the end of the file.
    Match user <username>
    PasswordAuthentication yes
    
  5. Save the file with ctrl-o then Enter
  6. Exit nano with ctrl-x
  7. Restart sshd service so the changes to the configuration file will be applied.
    sudo systemctl restart sshd​

Now that specific user will be able to log onto the server using password authentication. If an SSH public key was assigned to the user at the time of creation, then the user will be able to use either the corresponding ssh private key or the password to login to the server.

Enable password authentication for multiple users at once


If you have multiple users that need password authentication, you can enable this feature for all users at one time. All users will have to exist in the directory service before you can add their passwords. So you should first add all users to the server with the Web interface, CLI, or API, then follow the instructions below to add their passwords to their LDAP entries.

  1. Retrieve the LDAP admin password and store it in a variable to use later
    ldappassword=$(sudo grep spring.ldap.password /opt/sftpgw/application.properties | cut -d'=' -f2)
    
  2. Create an LDIF file that will be used to add the user's passwords with nano /tmp/addpassword.ldif, paste in the following, and replace the <values> below with your own. (Note: the password can be entered as plain text and it will be hashed before it is stored in the directory service.)
    dn: uid=<username>,ou=People,dc=sftpgateway,dc=com
    changeType: modify
    replace: userPassword
    userPassword: <new password>
    
    dn: uid=<username2>,ou=People,dc=sftpgateway,dc=com
    changeType: modify
    replace: userPassword
    userPassword: <new password2>
    
    # This can be repeated for as many passwords as you would like to add at 1 time.
    
  3. Add password to the user's in the directory service
    ldapmodify -D cn=admin -w $ldappassword -f /tmp/addpassword.ldif
    
  4. Enable password authentication for those users with sudo nano /etc/ssh/sshd_config, and add the following lines to the end of the file for each user.
    Match user <username>
    PasswordAuthentication yes
    
  5. Save the file with ctrl-o then Enter
  6. Exit nano with ctrl-x
  7. Restart sshd service so the changes to the configuration file will be applied
    sudo systemctl restart sshd​

Now those specific users will be able to log onto the server using password authentication. If an SSH public key was assigned to those users at the time of creation, then those users will be able to use either the corresponding ssh private key or the password to login to the server.

SSHD_config formats

There are two ways in which you can enable password authentication in the sshd_config file. Each as their own benefits and drawbacks.

  • You can append the following line to the sshd_config file for each user.
    Match user username
    PasswordAuthentication yes
    
    • This method is the easiest for programmatically adding these lines to the file. The lines can be appended to the file with something as simple as:
      echo "Match user username\nPasswordAuthentication yes" >> /etc/sshd/sshd_config
      
    • This method can make your sshd_config file bulky and hard to search through manually.

 

  • You can add users to the match block as a comma-separated list.
    Match user username1,username2
    PasswordAuthentication yes
    ​
    • This is the easiest way to add users to this file manually. Note that there is no space between the comma and the next username.
    • This method keeps the sshd_config file succinct and requires the least amount of typing.
    • It is much more difficult to modify an existing line in a file programmatically.

With either of these cases, the sshd service will need to be restarted for the change to take effect.