How to Configure SFTP Password Authentication for a Specific User on Ubuntu EC2 While Maintaining SSH Key Access


4 views

When you spin up an Ubuntu EC2 instance, AWS configures it for key-based authentication by default. The /etc/ssh/sshd_config file typically contains:


# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

First, let's create a restricted user account with no shell access:


sudo adduser --shell /bin/false --home /home/testuser testuser
sudo passwd testuser  # Set your password
sudo mkdir -p /home/testuser/uploads
sudo chown testuser:testuser /home/testuser/uploads
sudo chmod 700 /home/testuser

Edit /etc/ssh/sshd_config to enable password authentication only for our SFTP user:


Match User testuser
    PasswordAuthentication yes
    ChrootDirectory /home/%u
    ForceCommand internal-sftp
    PermitTunnel no
    AllowAgentForwarding no
    AllowTcpForwarding no
    X11Forwarding no

# Global settings (maintain for other users)
PasswordAuthentication no
ChallengeResponseAuthentication no
PubkeyAuthentication yes

The chroot environment requires specific ownership:


sudo chown root:root /home/testuser
sudo chmod 755 /home/testuser
sudo chown testuser:testuser /home/testuser/uploads

After saving changes, restart SSH and test:


sudo systemctl restart sshd

# Test connection from local machine:
sftp -o PreferredAuthentications=password testuser@your-ec2-ip

For debugging connection issues, check the auth log:


sudo tail -f /var/log/auth.log

Consider these additional measures:


# Limit login attempts
sudo apt install fail2ban

# Set up rate limiting
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

When setting up an Ubuntu EC2 instance, AWS defaults to key-based authentication for SSH/SFTP access. Many developers need to implement mixed authentication modes - maintaining key-based SSH for admin users while enabling password-based SFTP for specific users. Here's how to properly implement this configuration.

First, ensure your basic SFTP setup is correct:

sudo apt-get update
sudo apt-get install vsftpd
sudo systemctl start vsftpd
sudo systemctl enable vsftpd

Edit the SSH daemon configuration to enable password authentication for specific users:

sudo nano /etc/ssh/sshd_config

Add these critical directives at the bottom of the file:

Match User testuser
    PasswordAuthentication yes
    AuthenticationMethods password
    ChrootDirectory %h
    ForceCommand internal-sftp
    X11Forwarding no
    AllowTcpForwarding no

Create the SFTP-only user with proper permissions:

sudo adduser testuser --shell /bin/false
sudo passwd testuser
sudo mkdir -p /home/testuser/uploads
sudo chown root:root /home/testuser
sudo chmod 755 /home/testuser
sudo chown testuser:testuser /home/testuser/uploads

Ensure your security groups allow SFTP (port 22) access. For AWS EC2:

aws ec2 authorize-security-group-ingress \
    --group-id your-group-id \
    --protocol tcp \
    --port 22 \
    --cidr 0.0.0.0/0

After making changes, always test thoroughly:

sudo systemctl restart sshd
sftp testuser@your-ec2-ip

For debugging connection issues, check these logs:

sudo tail -f /var/log/auth.log
sudo journalctl -u sshd -f

To protect against brute force attacks when using password auth:

sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then edit jail.local and configure the SSH section with appropriate bantime and maxretry values.