diff --git a/docs/full-configuration.md b/docs/full-configuration.md index aefc0520..ffd68218 100644 --- a/docs/full-configuration.md +++ b/docs/full-configuration.md @@ -144,7 +144,7 @@ The configuration file contains the following sections: - `revoked_user_certs_file`, path to a file containing the revoked user certificates. The path can be absolute or relative to the configuration directory. It must contain a JSON list with the public key fingerprints of the revoked certificates. Example content: `["SHA256:bsBRHC/xgiqBJdSuvSTNpJNLTISP/G356jNMCRYC5Es","SHA256:119+8cL/HH+NLMawRsJx6CzPF1I3xC+jpM60bQHXGE8"]`. The revocation list can be reloaded on demand sending a `SIGHUP` signal on Unix based systems and a `paramchange` request to the running service on Windows. Default: "". - `login_banner_file`, path to the login banner file. The contents of the specified file, if any, are sent to the remote user before authentication is allowed. It can be a path relative to the config dir or an absolute one. Leave empty to disable login banner. - `enabled_ssh_commands`, list of enabled SSH commands. `*` enables all supported commands. More information can be found [here](./ssh-commands.md). - - `keyboard_interactive_authentication`, boolean. This setting specifies whether keyboard interactive authentication is allowed. If no keyboard interactive hook or auth plugin is defined the default is to prompt for the user password and then the one time authentication code, if defined. Default: `false`. + - `keyboard_interactive_authentication`, boolean. This setting specifies whether keyboard interactive authentication is allowed. If no keyboard interactive hook or auth plugin is defined the default is to prompt for the user password and then the one time authentication code, if defined. Default: `true`. - `keyboard_interactive_auth_hook`, string. Absolute path to an external program or an HTTP URL to invoke for keyboard interactive authentication. See [Keyboard Interactive Authentication](./keyboard-interactive.md) for more details. - `password_authentication`, boolean. Set to false to disable password authentication. This setting will disable multi-step authentication method using public key + password too. It is useful for public key only configurations if you need to manage old clients that will not attempt to authenticate with public keys if the password login method is advertised. Default: `true`. - `folder_prefix`, string. Virtual root folder prefix to include in all file operations (ex: `/files`). The virtual paths used for per-directory permissions, file patterns etc. must not include the folder prefix. The prefix is only applied to SFTP requests (in SFTP server mode), SCP and other SSH commands will be automatically disabled if you configure a prefix. The prefix is ignored while running as OpenSSH's SFTP subsystem. This setting can help some specific migrations from SFTP servers based on OpenSSH and it is not recommended for general usage. Default: blank. diff --git a/docs/howto/two-factor-authentication.md b/docs/howto/two-factor-authentication.md index 601d41e5..7f128868 100644 --- a/docs/howto/two-factor-authentication.md +++ b/docs/howto/two-factor-authentication.md @@ -33,16 +33,7 @@ The `issuer` and `algo` are visible/used in the authenticators apps. For example You can also define multiple configurations, for example one that uses `sha256` or `sha512` and another one that uses `sha1` and instruct your users to use the appropriate configuration for their devices/apps. The algorithm should not be changed if there are users or admins using the configuration. The `name` is visible to the users/admins when they select the 2FA configuration to use and it must be unique. A configuration name should not be changed if there are users or admins using it. -SFTPGo can use 2FA for `HTTP`, `SSH` (SFTP, SCP) and `FTP` protocols. If you plan to use 2FA with `SSH` you have to enable the keyboard interactive authentication which is disabled by default. - -```json - "sftpd": { - ... - "keyboard_interactive_authentication": true, - ... -``` - -Or setting the environment variable `SFTPGO_SFTPD__KEYBOARD_INTERACTIVE_AUTHENTICATION=1`. +SFTPGo can use 2FA for `HTTP`, `SSH` (SFTP, SCP) and `FTP` protocols. ## Enable 2FA for admins diff --git a/internal/config/config.go b/internal/config/config.go index 9bd69961..36ee71de 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -258,7 +258,7 @@ func Init() { RevokedUserCertsFile: "", LoginBannerFile: "", EnabledSSHCommands: []string{}, - KeyboardInteractiveAuthentication: false, + KeyboardInteractiveAuthentication: true, KeyboardInteractiveHook: "", PasswordAuthentication: true, FolderPrefix: "", diff --git a/sftpgo.json b/sftpgo.json index bd7fd34e..ca00eea9 100644 --- a/sftpgo.json +++ b/sftpgo.json @@ -96,7 +96,7 @@ "pwd", "scp" ], - "keyboard_interactive_authentication": false, + "keyboard_interactive_authentication": true, "keyboard_interactive_auth_hook": "", "password_authentication": true, "folder_prefix": ""