diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md
index 394169c3..fa55ee2a 100644
--- a/roles/ssh_hardening/README.md
+++ b/roles/ssh_hardening/README.md
@@ -88,6 +88,11 @@ For more information, see [this issue](https://github.com/dev-sec/ansible-collec
   - Description: Specifies the umask for sftp.
   - Type: str
   - Required: no
+- `sftp_password_login`
+  - Default: inherite from `ssh_server_password_login`
+  - Description: Set to `true` to allow password-based authentication to the sftp server. You probably also need to change `sshd_authenticationmethods` to include `password` if you set `sftp_password_login`: `true`.
+  - Type: bool
+  - Required: no
 - `ssh_allow_agent_forwarding`
   - Default: `false`
   - Description: Set to `false` to disable Agent Forwarding. Set to `true` to allow Agent Forwarding.
diff --git a/roles/ssh_hardening/defaults/main.yml b/roles/ssh_hardening/defaults/main.yml
index d70b8da6..8831f050 100644
--- a/roles/ssh_hardening/defaults/main.yml
+++ b/roles/ssh_hardening/defaults/main.yml
@@ -183,6 +183,9 @@ sftp_umask: "0027"
 # change default sftp chroot location
 sftp_chroot_dir: /home/%u
 
+# If true, password login for sftp is allowed
+sftp_password_login: "{{ ssh_server_password_login }}"
+
 # enable experimental client roaming
 ssh_client_roaming: false
 
diff --git a/roles/ssh_hardening/templates/opensshd.conf.j2 b/roles/ssh_hardening/templates/opensshd.conf.j2
index 4ac0e713..5b8af71a 100644
--- a/roles/ssh_hardening/templates/opensshd.conf.j2
+++ b/roles/ssh_hardening/templates/opensshd.conf.j2
@@ -269,7 +269,7 @@ Match Group sftponly
 {% endif %}
     AllowTcpForwarding no
     AllowAgentForwarding no
-    PasswordAuthentication {{ 'yes' if (ssh_server_password_login|bool) else 'no' }}
+    PasswordAuthentication {{ 'yes' if (sftp_password_login|bool) else 'no' }}
     PermitRootLogin no
     X11Forwarding no
 {% endif %}