From b486af0031e11edd2018540109c87881fa92a204 Mon Sep 17 00:00:00 2001
From: KirCute <951206789@qq.com>
Date: Mon, 29 Sep 2025 21:46:55 +0800
Subject: [PATCH] feat(sftp-server): support disable password login (#1357)

---
 internal/bootstrap/data/setting.go |  3 +--
 internal/conf/const.go             | 14 +++++++-------
 server/ftp.go                      |  3 ++-
 server/sftp.go                     |  9 +++++++--
 4 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/internal/bootstrap/data/setting.go b/internal/bootstrap/data/setting.go
index 7bbc1b6e..f07bbaad 100644
--- a/internal/bootstrap/data/setting.go
+++ b/internal/bootstrap/data/setting.go
@@ -213,12 +213,11 @@ func InitialSettings() []model.SettingItem {
 		// ftp settings
 		{Key: conf.FTPPublicHost, Value: "127.0.0.1", Type: conf.TypeString, Group: model.FTP, Flag: model.PRIVATE},
 		{Key: conf.FTPPasvPortMap, Value: "", Type: conf.TypeText, Group: model.FTP, Flag: model.PRIVATE},
-		{Key: conf.FTPProxyUserAgent, Value: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) " +
-			"Chrome/87.0.4280.88 Safari/537.36", Type: conf.TypeString, Group: model.FTP, Flag: model.PRIVATE},
 		{Key: conf.FTPMandatoryTLS, Value: "false", Type: conf.TypeBool, Group: model.FTP, Flag: model.PRIVATE},
 		{Key: conf.FTPImplicitTLS, Value: "false", Type: conf.TypeBool, Group: model.FTP, Flag: model.PRIVATE},
 		{Key: conf.FTPTLSPrivateKeyPath, Value: "", Type: conf.TypeString, Group: model.FTP, Flag: model.PRIVATE},
 		{Key: conf.FTPTLSPublicCertPath, Value: "", Type: conf.TypeString, Group: model.FTP, Flag: model.PRIVATE},
+		{Key: conf.SFTPDisablePasswordLogin, Value: "false", Type: conf.TypeBool, Group: model.FTP, Flag: model.PRIVATE},
 
 		// traffic settings
 		{Key: conf.TaskOfflineDownloadThreadsNum, Value: strconv.Itoa(conf.Conf.Tasks.Download.Workers), Type: conf.TypeNumber, Group: model.TRAFFIC, Flag: model.PRIVATE},
diff --git a/internal/conf/const.go b/internal/conf/const.go
index f46b0d80..94f55e63 100644
--- a/internal/conf/const.go
+++ b/internal/conf/const.go
@@ -125,13 +125,13 @@ const (
 	QbittorrentSeedtime = "qbittorrent_seedtime"
 
 	// ftp
-	FTPPublicHost        = "ftp_public_host"
-	FTPPasvPortMap       = "ftp_pasv_port_map"
-	FTPProxyUserAgent    = "ftp_proxy_user_agent"
-	FTPMandatoryTLS      = "ftp_mandatory_tls"
-	FTPImplicitTLS       = "ftp_implicit_tls"
-	FTPTLSPrivateKeyPath = "ftp_tls_private_key_path"
-	FTPTLSPublicCertPath = "ftp_tls_public_cert_path"
+	FTPPublicHost            = "ftp_public_host"
+	FTPPasvPortMap           = "ftp_pasv_port_map"
+	FTPMandatoryTLS          = "ftp_mandatory_tls"
+	FTPImplicitTLS           = "ftp_implicit_tls"
+	FTPTLSPrivateKeyPath     = "ftp_tls_private_key_path"
+	FTPTLSPublicCertPath     = "ftp_tls_public_cert_path"
+	SFTPDisablePasswordLogin = "sftp_disable_password_login"
 
 	// traffic
 	TaskOfflineDownloadThreadsNum         = "offline_download_task_threads_num"
diff --git a/server/ftp.go b/server/ftp.go
index 56b0b8e4..fb7d86c8 100644
--- a/server/ftp.go
+++ b/server/ftp.go
@@ -13,6 +13,7 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/OpenListTeam/OpenList/v4/drivers/base"
 	"github.com/OpenListTeam/OpenList/v4/internal/conf"
 	"github.com/OpenListTeam/OpenList/v4/internal/model"
 	"github.com/OpenListTeam/OpenList/v4/internal/op"
@@ -80,7 +81,7 @@ func NewMainDriver() (*FtpMainDriver, error) {
 			PasvConnectionsCheck:     pasvConnCheck,
 		},
 		proxyHeader: http.Header{
-			"User-Agent": {setting.GetStr(conf.FTPProxyUserAgent)},
+			"User-Agent": {base.UserAgent},
 		},
 		clients:      make(map[uint32]ftpserver.ClientContext),
 		shutdownLock: sync.RWMutex{},
diff --git a/server/sftp.go b/server/sftp.go
index f1ec9400..055f7973 100644
--- a/server/sftp.go
+++ b/server/sftp.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/OpenListTeam/OpenList/v4/drivers/base"
 	"github.com/OpenListTeam/OpenList/v4/internal/conf"
 	"github.com/OpenListTeam/OpenList/v4/internal/model"
 	"github.com/OpenListTeam/OpenList/v4/internal/op"
@@ -27,7 +28,7 @@ func NewSftpDriver() (*SftpDriver, error) {
 	sftp.InitHostKey()
 	return &SftpDriver{
 		proxyHeader: http.Header{
-			"User-Agent": {setting.GetStr(conf.FTPProxyUserAgent)},
+			"User-Agent": {base.UserAgent},
 		},
 	}, nil
 }
@@ -36,10 +37,14 @@ func (d *SftpDriver) GetConfig() *sftpd.Config {
 	if d.config != nil {
 		return d.config
 	}
+	var pwdAuth func(conn ssh.ConnMetadata, password []byte) (*ssh.Permissions, error) = nil
+	if !setting.GetBool(conf.SFTPDisablePasswordLogin) {
+		pwdAuth = d.PasswordAuth
+	}
 	serverConfig := ssh.ServerConfig{
 		NoClientAuth:         true,
 		NoClientAuthCallback: d.NoClientAuth,
-		PasswordCallback:     d.PasswordAuth,
+		PasswordCallback:     pwdAuth,
 		PublicKeyCallback:    d.PublicKeyAuth,
 		AuthLogCallback:      d.AuthLogCallback,
 		BannerCallback:       d.GetBanner,