Ssh – Enable password login for SFTP while keeping authentication by SSH keys

authenticationdrupal7sftpssh

How do I keep a password login enabled for SFTP transactions (made by Drupal, if this is important) while keeping it disabled for all other SSH key based authentications? Currently all the existing users of the CentOS server use keys to log in and /etc/ssh/sshd_config has PasswordAuthentication no)?

Best Answer

From what I gather you want to permit passwords from some users, but not others?
You could setup a Match block. So your config might look something like below.

...
PasswordAuthentication no
...
Match user drupalsftp
    PasswordAuthentication yes

Since you mentioned these password-based transactions are happening from drupal, perhaps you could whitelist based on the host address? Match address 127.0.0.1/32

You should even be able to combine the criteria, and say only a specific account from a specific address can do password authentication.

PasswordAuthentication no
...
Match user drupalsftp address 10.1.2.3/32
    PasswordAuthentication yes
    # also since we want only sftp
    ForceCommand internal-sftp

Links

https://www.freebsd.org/cgi/man.cgi?sshd_config(5) - See the 'Match' section
https://www.freebsd.org/cgi/man.cgi?ssh_config(5) - See the 'patterns' section

Related Solutions

SSH keys fail for one user

Two parts: first, turn up debugging on your ssh sever. Edit /etc/ssh/sshd_config and increase LogLevel to DEBUG. Then force your ssh server to reload it's config with killall -HUP <sshd pid>.

That will cause the server to add much more details to your /var/log/secure and/or /var/log/auth logfiles.

Secondly (actually you cant try this first), increase the debug level on the client side. ssh in to the box with

$ ssh -vvv hostname

and that will print out lots more info about where the process is failing.

If you do turn up the debug level on your ssh server, don't forget to turn it back down when you are finished.

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

SSH keys fail for one user

Ssh – How to automate SSH login with password

Related Topic