Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-07 14:50:55 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add password_disabled bool to sftpd config, disables password auth callback (#165)

Browse Source
This commit is contained in:
Giorgio Pellero
2020-09-01 19:26:33 +02:00
committed by GitHub
parent 3925c7ff95
commit 8391b19abb
2 changed files with 14 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/full-configuration.md
View File

@@ -63,6 +63,7 @@ The configuration file contains the following sections:
- `bind_address`, string. Leave blank to listen on all available network interfaces. Default: "" - `bind_address`, string. Leave blank to listen on all available network interfaces. Default: ""
- `idle_timeout`, integer. Deprecated, please use the same key in `common` section. - `idle_timeout`, integer. Deprecated, please use the same key in `common` section.
- `max_auth_tries` integer. Maximum number of authentication attempts permitted per connection. If set to a negative number, the number of attempts is unlimited. If set to zero, the number of attempts are limited to 6. - `max_auth_tries` integer. Maximum number of authentication attempts permitted per connection. If set to a negative number, the number of attempts is unlimited. If set to zero, the number of attempts are limited to 6.
- `password_disabled`, boolean. Set to false to forbid password authentication (for example in a pubkey-only setup).
- `banner`, string. Identification string used by the server. Leave empty to use the default banner. Default `SFTPGo_<version>`, for example `SSH-2.0-SFTPGo_0.9.5` - `banner`, string. Identification string used by the server. Leave empty to use the default banner. Default `SFTPGo_<version>`, for example `SSH-2.0-SFTPGo_0.9.5`
- `upload_mode` integer. Deprecated, please use the same key in `common` section. - `upload_mode` integer. Deprecated, please use the same key in `common` section.
- `actions`, struct. Deprecated, please use the same key in `common` section. - `actions`, struct. Deprecated, please use the same key in `common` section.

21
sftpd/server.go
View File

@@ -97,6 +97,8 @@ type Configuration struct {
// The following SSH commands are enabled by default: "md5sum", "sha1sum", "cd", "pwd". // The following SSH commands are enabled by default: "md5sum", "sha1sum", "cd", "pwd".
// "*" enables all supported SSH commands. // "*" enables all supported SSH commands.
EnabledSSHCommands []string `json:"enabled_ssh_commands" mapstructure:"enabled_ssh_commands"` EnabledSSHCommands []string `json:"enabled_ssh_commands" mapstructure:"enabled_ssh_commands"`
// PasswordDisabled specifies whether to forbid password authentication, for example in a publickey-only setup.
PasswordDisabled bool `json:"password_disabled" mapstructure:"password_disabled"`
// Absolute path to an external program or an HTTP URL to invoke for keyboard interactive authentication. // Absolute path to an external program or an HTTP URL to invoke for keyboard interactive authentication.
// Leave empty to disable this authentication mode. // Leave empty to disable this authentication mode.
KeyboardInteractiveHook string `json:"keyboard_interactive_auth_hook" mapstructure:"keyboard_interactive_auth_hook"` KeyboardInteractiveHook string `json:"keyboard_interactive_auth_hook" mapstructure:"keyboard_interactive_auth_hook"`
@@ -128,14 +130,6 @@ func (c Configuration) Initialize(configDir string) error {
serverConfig := &ssh.ServerConfig{ serverConfig := &ssh.ServerConfig{
NoClientAuth: false, NoClientAuth: false,
MaxAuthTries: c.MaxAuthTries, MaxAuthTries: c.MaxAuthTries,
PasswordCallback: func(conn ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
sp, err := c.validatePasswordCredentials(conn, pass)
if err != nil {
return nil, &authenticationError{err: fmt.Sprintf("could not validate password credentials: %v", err)}
}
return sp, nil
},
PublicKeyCallback: func(conn ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) { PublicKeyCallback: func(conn ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {
sp, err := c.validatePublicKeyCredentials(conn, pubKey) sp, err := c.validatePublicKeyCredentials(conn, pubKey)
if err == ssh.ErrPartialSuccess { if err == ssh.ErrPartialSuccess {
@@ -158,6 +152,17 @@ func (c Configuration) Initialize(configDir string) error {
ServerVersion: fmt.Sprintf("SSH-2.0-%v", c.Banner), ServerVersion: fmt.Sprintf("SSH-2.0-%v", c.Banner),
} }
if !c.PasswordDisabled {
serverConfig.PasswordCallback = func(conn ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
sp, err := c.validatePasswordCredentials(conn, pass)
if err != nil {
return nil, &authenticationError{err: fmt.Sprintf("could not validate password credentials: %v", err)}
}
return sp, nil
}
}
if err := c.checkAndLoadHostKeys(configDir, serverConfig); err != nil { if err := c.checkAndLoadHostKeys(configDir, serverConfig); err != nil {
return err return err
} }