By default, SFTP users are configured to log in using SSH keys. This is more secure than passwords, which are transmitted over the wire, and are easier to brute force -- especially if set without complexity requirements.

Although we don't recommend it, there are times when you need to enable password authentication. This article describes how to do so.

1. Create a user via the web interface for user management.

2. SSH into the EC2 instance, and elevate privileges to root:

    sudo su
   

3. Set some bash variables, replacing the values below with your own. (Note: there are no spaces next to the equal sign)

    SFTP_USER=bob
    NEW_PASSWORD=<your password>
   

4. Reset the user's password by pasting in the following code. It grabs admin credentials from a conf file, and then resets the user's LDAP password:

    prefix="spring.ldap.password="
    str=`grep "${prefix}" /opt/sftpgw/application.properties 2>/dev/null`
    LOCAL_SECRET_ACCESS_KEY=${str#$prefix}
    ldappasswd -x -D "cn=admin" -w ${LOCAL_SECRET_ACCESS_KEY} -S "uid=${SFTP_USER},ou=people,dc=sftpgateway,dc=com" -s "${NEW_PASSWORD}" -ZZ
   

5. Edit the file /etc/ssh/sshd_config. This controls settings for SSH.

6. On line 84, change ChallengeResponseAuthentication to yes

   # Change to no to disable s/key passwords
   ChallengeResponseAuthentication yes
   #ChallengeResponseAuthentication no
   

7. Add the following text at the very end of the file:

   Match User bob
   PasswordAuthentication yes
   

8. Save the sshd_config file.

9. Restart SSH: sudo service sshd restart. Note: if you're running a multi instance setup, see this page for details on how to send commands to multiple EC2 instances.

10. User "bob" should now be able to sftp using a password

    $ sftp bob@52.202.XXX.XXX
    bob@52.202.XXX.XXX's password:
    Connected to 52.202.XXX.XXX.
    sftp> pwd
    Remote working directory: /home/bob
    sftp> bye