Merge pull request #184 from avanier/allow_password_for_sftp

Allow password authentification for sftp

Author: artem-sidorenko

README.md

@@ -75,6 +75,7 @@ override['ssh-hardening']['ssh']['server']['listen_to'] = node['ipaddress']
 * `['ssh-hardening']['ssh']['server']['sftp']['enable']` - `false`. Set to `true` to enable the SFTP feature of OpenSSH daemon
 * `['ssh-hardening']['ssh']['server']['sftp']['group']` - `sftponly`. Sets the `Match Group` option of SFTP to allow SFTP only for dedicated users
 * `['ssh-hardening']['ssh']['server']['sftp']['chroot']` - `/home/%u`. Sets the directory where the SFTP user should be chrooted
+* `['ssh-hardening']['ssh']['server']['sftp']['password_authentication']` - `false`. Set to `true` if password authentication should be enabled
 * `['ssh-hardening']['ssh']['server']['authorized_keys_path']` - `nil`. If not nil, full path to an authorized keys folder is expected
 * `['ssh-hardening']['ssh']['server']['extras']` - `{}`. Add extra configuration options, see [below](#extra-configuration-options) for details
 

attributes/default.rb

@@ -112,7 +112,8 @@
   server['extras']                   = {}
 
   # sshd sftp options
-  server['sftp']['enable']           = false
-  server['sftp']['group']            = 'sftponly'
-  server['sftp']['chroot']           = '/home/%u'
+  server['sftp']['enable']                  = false
+  server['sftp']['group']                   = 'sftponly'
+  server['sftp']['chroot']                  = '/home/%u'
+  server['sftp']['password_authentication'] = false
 end

templates/default/opensshd.conf.erb

@@ -222,7 +222,7 @@ ForceCommand internal-sftp -l VERBOSE
 ChrootDirectory <%= @node['ssh-hardening']['ssh']['server']['sftp']['chroot'] %>
 AllowTcpForwarding no
 AllowAgentForwarding no
-PasswordAuthentication no
+PasswordAuthentication <%= ((@node['ssh-hardening']['ssh']['server']['sftp']['password_authentication']) ? 'yes' : 'no' ) %>
 PermitRootLogin no
 X11Forwarding no
 <% else %>