By default, SFTP users are configured to log in using SSH keys. This is more secure than passwords, which are transmitted over the wire, and are easier to brute force – especially if set without complexity requirements.

Although we don’t recommend it, there are times when you need to enable password authentication. This article describes how to do so.

  1. Create a user via the web interface for user management.

  2. SSH into the EC2 instance, and elevate privileges to root:

     sudo su
    
  3. Set some bash variables, replacing the values below with your own. (Note: there are no spaces next to the equal sign)

     SFTP_USER=bob
     NEW_PASSWORD=<your password>
    
  4. Reset the user’s password by pasting in the following code. It grabs admin credentials from a conf file, and then resets the user’s LDAP password:

     prefix="spring.ldap.password="
     str=`grep "${prefix}" /opt/sftpgw/application.properties 2>/dev/null`
     LOCAL_SECRET_ACCESS_KEY=${str#$prefix}
     ldappasswd -x -D "cn=admin" -w ${LOCAL_SECRET_ACCESS_KEY} -S "uid=${SFTP_USER},ou=people,dc=sftpgateway,dc=com" -s "${NEW_PASSWORD}" -ZZ
    
  5. Edit the file /etc/ssh/sshd_config. This controls settings for SSH.

  6. On line 84, change ChallengeResponseAuthentication to yes

    # Change to no to disable s/key passwords
    ChallengeResponseAuthentication yes
    #ChallengeResponseAuthentication no
    
  7. Add the following text at the very end of the file:

    Match User bob
    PasswordAuthentication yes
    
  8. Save the sshd_config file.

  9. Restart SSH: sudo service sshd restart. Note: if you’re running a multi instance setup, see this page for details on how to send commands to multiple EC2 instances.

  10. User “bob” should now be able to sftp using a password

    $ sftp bob@52.202.XXX.XXX
    bob@52.202.XXX.XXX's password:
    Connected to 52.202.XXX.XXX.
    sftp> pwd
    Remote working directory: /home/bob
    sftp> bye