allow seperate password login for sftp

Signed-off-by: Michael <[email protected]>

Author: mib1185

roles/ssh_hardening/README.md

@@ -89,6 +89,11 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - Description: Specifies the umask for sftp.
   - Type: str
   - Required: no
+- `sftp_password_login`
+  - Default: inherite from `ssh_server_password_login`
+  - Description: Set to `true` to allow password-based authentication to the sftp server. You probably also need to change `sshd_authenticationmethods` to include `password` if you set `sftp_password_login`: `true`.
+  - Type: bool
+  - Required: no
 - `ssh_allow_agent_forwarding`
   - Default: `False`
   - Description: Set to `false` to disable Agent Forwarding. Set to `true` to allow Agent Forwarding.

roles/ssh_hardening/defaults/main.yml

@@ -180,6 +180,9 @@ sftp_umask: "0027"
 # change default sftp chroot location
 sftp_chroot_dir: /home/%u
 
+# If true, password login for sftp is allowed
+sftp_password_login: "{{ ssh_server_password_login }}"
+
 # enable experimental client roaming
 ssh_client_roaming: false
 

roles/ssh_hardening/templates/opensshd.conf.j2

@@ -283,7 +283,7 @@ Match Group sftponly
 {% endif %}
     AllowTcpForwarding no
     AllowAgentForwarding no
-    PasswordAuthentication {{ 'yes' if (ssh_server_password_login|bool) else 'no' }}
+    PasswordAuthentication {{ 'yes' if (sftp_password_login|bool) else 'no' }}
     PermitRootLogin no
     X11Forwarding no
 {% endif %}