From ef0bebc5e27b4a8edf0ddfd1256f1a989b7116a0 Mon Sep 17 00:00:00 2001 From: RMartinOscar <40749467+RMartinOscar@users.noreply.github.com> Date: Thu, 3 Jul 2025 19:06:58 +0000 Subject: [PATCH] Implement `Sftp` keyOnly authentication --- config/config.go | 2 ++ remote/errors.go | 6 ++++++ sftp/server.go | 5 +++++ 3 files changed, 13 insertions(+) diff --git a/config/config.go b/config/config.go index c80fed35..89ad133f 100644 --- a/config/config.go +++ b/config/config.go @@ -70,6 +70,8 @@ type SftpConfiguration struct { Port int `default:"2022" json:"bind_port" yaml:"bind_port"` // If set to true, no write actions will be allowed on the SFTP server. ReadOnly bool `default:"false" yaml:"read_only"` + // If set to true users won't be able to login using their password. + KeyOnly bool `default:"false" yaml:"key_only"` } // ApiConfiguration defines the configuration for the internal API that is diff --git a/remote/errors.go b/remote/errors.go index a28e9483..7a54d195 100644 --- a/remote/errors.go +++ b/remote/errors.go @@ -62,3 +62,9 @@ type SftpInvalidCredentialsError struct{} func (ice SftpInvalidCredentialsError) Error() string { return "the credentials provided were invalid" } + +type SftpKeyOnlyError struct{} + +func (ice SftpKeyOnlyError) Error() string { + return "password authentication is disabled; only SSH keys are allowed" +} diff --git a/sftp/server.go b/sftp/server.go index 101191d6..d19051ef 100644 --- a/sftp/server.go +++ b/sftp/server.go @@ -223,6 +223,11 @@ func (c *SFTPServer) makeCredentialsRequest(conn ssh.ConnMetadata, t remote.Sftp return nil, &remote.SftpInvalidCredentialsError{} } + if t == remote.SftpAuthPassword && config.Get().System.Sftp.KeyOnly { + logger.Warn("failed to validate user credentials (password authentication is disabled; only SSH keys are allowed)") + return nil, &remote.SftpKeyOnlyError{} + } + resp, err := c.manager.Client().ValidateSftpCredentials(context.Background(), request) if err != nil { if _, ok := err.(*remote.SftpInvalidCredentialsError); ok {