0

Can i implement key based and password based authentification at the same time on sftp server? I want the server first to do the key based auth. and if it was correct then ask for password based auth. Is this possible to implement?

Improve this question

1 Answer 1

Reset to default
2

SFTP almost always (but not necessarily) uses SSH as transport. Authentication is performed on the SSH level. The option you're looking for thus belongs to the config of the SSH server.

I'm assuming OpenSSH. See man 5 sshd_config [emphasis mine]:

AuthenticationMethods

Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more lists of comma-separated authentication method names, or by the single string any to indicate the default behaviour of accepting any single authentication method. If the default is overridden, then successful authentication requires completion of every method in at least one of these lists.

For example, publickey,password publickey,keyboard-interactive would require the user to complete public key authentication, followed by either password or keyboard interactive authentication. Only methods that are next in one or more lists are offered at each stage, so for this example it would not be possible to attempt password or keyboard-interactive authentication before public key.

[…]

(Side note: What's the difference between password and keyboard-interactive?)

It seems the example is exactly what you want.

Note the setting will affect not only SFTP, but every usage of SSH. AFAIK you cannot easily use the setting different for SFTP than for everything else, because authentication occurs before the server knows you want SFTP. The server knows the user early enough though, so if you need this for "SFTP-only users", then it's possible to affect only them thanks to a conditional block (Match).

After changing the config file you need to restart the SSH server or otherwise tell it to reload the configuration. sshd from OpenSSH rereads its configuration upon receiving a hangup signal, SIGHUP.

Improve this answer
2
  • seems like what i am searching for a week. Gonna give it a try and let you know, if i could implement it successfully
    – Keeran
    Commented Feb 22, 2022 at 13:24
  • i got that. Thx for the help.
    – Keeran
    Commented Feb 22, 2022 at 14:24

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .