By default, SFTP users are configured to log in using SSH keys. This is more secure than passwords, which are transmitted over the wire, and are easier to brute force – especially if set without complexity requirements.

Although we don’t recommend it, there are times when you need to enable password authentication. This article describes how to do so.

  1. Create a user via the web interface for user management.

  2. SSH into the EC2 instance, and elevate privileges to root:

     sudo su
  3. Set some bash variables, replacing the values below with your own. (Note: there are no spaces next to the equal sign)

     NEW_PASSWORD=<your password>
  4. Reset the user’s password by pasting in the following code. It grabs admin credentials from a conf file, and then resets the user’s LDAP password:

    LOCAL_SECRET_ACCESS_KEY=$(sudo grep ldap.password /opt/sftpgw/ | cut -d'=' -f2)
    ldappasswd -x -D "cn=admin" -w ${LOCAL_SECRET_ACCESS_KEY} -S "uid=${SFTP_USER},ou=people,dc=sftpgateway,dc=com" -s "${NEW_PASSWORD}" -ZZ
  5. Edit the file /etc/ssh/sshd_config. This controls settings for SSH.

  6. On line 84, change ChallengeResponseAuthentication to yes

    # Change to no to disable s/key passwords
    ChallengeResponseAuthentication yes
    #ChallengeResponseAuthentication no
  7. Add the following text at the very end of the file:

    Match User bob
    PasswordAuthentication yes
  8. Save the sshd_config file.

  9. Restart SSH: sudo service sshd restart. Note: if you’re running a multi-instance setup, see this page for details on how to send commands to multiple EC2 instances.

  10. User “bob” should now be able to SFTP using a password

    $ sftp bob@52.202.XXX.XXX
    bob@52.202.XXX.XXX's password:
    Connected to 52.202.XXX.XXX.
    sftp> pwd
    Remote working directory: /home/bob
    sftp> bye