By default, SFTP users are configured to log in using SSH keys. This is more secure than passwords, which are transmitted over the wire, and are easier to brute force – especially if set without complexity requirements.
Although we don’t recommend it, there are times when you need to enable password authentication. This article describes how to do so.
Create a user via the web interface for user management.
SSH into the EC2 instance, and elevate privileges to
root:sudo suSet some bash variables, replacing the values below with your own. (Note: there are no spaces next to the equal sign)
SFTP_USER=bob NEW_PASSWORD=<your password>Reset the user’s password by pasting in the following code. It grabs admin credentials from a conf file, and then resets the user’s LDAP password:
LOCAL_SECRET_ACCESS_KEY=$(sudo grep ldap.password /opt/sftpgw/application.properties | cut -d'=' -f2)ldappasswd -x -D "cn=admin" -w ${LOCAL_SECRET_ACCESS_KEY} -S "uid=${SFTP_USER},ou=people,dc=sftpgateway,dc=com" -s "${NEW_PASSWORD}" -ZZEdit the file
/etc/ssh/sshd_config. This controls settings for SSH.On line 84, change
ChallengeResponseAuthenticationto yes# Change to no to disable s/key passwordsChallengeResponseAuthentication yes#ChallengeResponseAuthentication noAdd the following text at the very end of the file:
Match User bobPasswordAuthentication yesSave the
sshd_configfile.Restart SSH:
sudo service sshd restart. Note: if you’re running a multi-instance setup, see this page for details on how to send commands to multiple EC2 instances.User “bob” should now be able to SFTP using a password
$ sftp bob@52.202.XXX.XXXbob@52.202.XXX.XXX's password:Connected to 52.202.XXX.XXX.sftp> pwdRemote working directory: /home/bobsftp> bye