Add password_disabled bool to sftpd config, disables password auth callback (#165)
This commit is contained in:
Giorgio Pellero
GitHub
parent
3925c7ff95
commit
8391b19abb
2 changed files with 14 additions and 8 deletions
|
|
@ -63,6 +63,7 @@ The configuration file contains the following sections:
|
|||
- `bind_address`, string. Leave blank to listen on all available network interfaces. Default: ""
|
||||
- `idle_timeout`, integer. Deprecated, please use the same key in `common` section.
|
||||
- `max_auth_tries` integer. Maximum number of authentication attempts permitted per connection. If set to a negative number, the number of attempts is unlimited. If set to zero, the number of attempts are limited to 6.
|
||||
- `password_disabled`, boolean. Set to false to forbid password authentication (for example in a pubkey-only setup).
|
||||
- `banner`, string. Identification string used by the server. Leave empty to use the default banner. Default `SFTPGo_<version>`, for example `SSH-2.0-SFTPGo_0.9.5`
|
||||
- `upload_mode` integer. Deprecated, please use the same key in `common` section.
|
||||
- `actions`, struct. Deprecated, please use the same key in `common` section.
|
||||
|
|
|
|||
|
|
@ -97,6 +97,8 @@ type Configuration struct {
|
|||
// The following SSH commands are enabled by default: "md5sum", "sha1sum", "cd", "pwd".
|
||||
// "*" enables all supported SSH commands.
|
||||
EnabledSSHCommands []string `json:"enabled_ssh_commands" mapstructure:"enabled_ssh_commands"`
|
||||
// PasswordDisabled specifies whether to forbid password authentication, for example in a publickey-only setup.
|
||||
PasswordDisabled bool `json:"password_disabled" mapstructure:"password_disabled"`
|
||||
// Absolute path to an external program or an HTTP URL to invoke for keyboard interactive authentication.
|
||||
// Leave empty to disable this authentication mode.
|
||||
KeyboardInteractiveHook string `json:"keyboard_interactive_auth_hook" mapstructure:"keyboard_interactive_auth_hook"`
|
||||
|
|
@ -128,14 +130,6 @@ func (c Configuration) Initialize(configDir string) error {
|
|||
serverConfig := &ssh.ServerConfig{
|
||||
NoClientAuth: false,
|
||||
MaxAuthTries: c.MaxAuthTries,
|
||||
PasswordCallback: func(conn ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
|
||||
sp, err := c.validatePasswordCredentials(conn, pass)
|
||||
if err != nil {
|
||||
return nil, &authenticationError{err: fmt.Sprintf("could not validate password credentials: %v", err)}
|
||||
}
|
||||
|
||||
return sp, nil
|
||||
},
|
||||
PublicKeyCallback: func(conn ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {
|
||||
sp, err := c.validatePublicKeyCredentials(conn, pubKey)
|
||||
if err == ssh.ErrPartialSuccess {
|
||||
|
|
@ -158,6 +152,17 @@ func (c Configuration) Initialize(configDir string) error {
|
|||
ServerVersion: fmt.Sprintf("SSH-2.0-%v", c.Banner),
|
||||
}
|
||||
|
||||
if !c.PasswordDisabled {
|
||||
serverConfig.PasswordCallback = func(conn ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
|
||||
sp, err := c.validatePasswordCredentials(conn, pass)
|
||||
if err != nil {
|
||||
return nil, &authenticationError{err: fmt.Sprintf("could not validate password credentials: %v", err)}
|
||||
}
|
||||
|
||||
return sp, nil
|
||||
}
|
||||
}
|
||||
|
||||
if err := c.checkAndLoadHostKeys(configDir, serverConfig); err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue