I am a great supporter of ISPConfig, and I convince a lot of people to actually use it. But sometimes I do run into some issues myself. I don't know if this might be something on my end, or a bug, but since ISPConfig 3.1.15, pure-ftpd-mysql user passwords are (if created new, or changed) now prefixed with: $6$rounds=5000$967270 (string is longer, but prefixed with this) So, all existing passwords seem to work, but the ones reset, or newly created, do fail. Server is Debian 9, with PHP 7.0, and ISPConfig 3.1.15. The same server did run the 3.1.14 series perfectly, without issues with FTP users, and resetting their passwords. This is a showstopper.
Passwords are now hashed with crypt-sha256 instead of the old crypt-md5 for security reasons. I think Debian 9 should support this, but I'll do some tests.
Till, thank you for your efforts! Is there any way that there is a workaround for this? By generating passwords by hand, and putting them in the DB manually?
I just tried to reproduce the issue on Debian 9 but it works here. Password hash generated by ISPConfig: $6$rounds=5000$e15ccc07e07d4dc4$SGmUxuwy4PItALBnZ3RRcjT5VLWFDKUWjJpcE9CcUVHHhc7MbH03sciANLXOmu0PFH3N302IRsavVE7hYGmQV1 So the new sha hashing is in use. The Debian version is: root@server1:~# cat /etc/debian_version 9.9 Which is not even latest Debian 9. I'll insttall latest updates and test again, but I guess this makes no difference. Maybe your server is older than Debian 9?
Till, version of the master is: jko@portal:~$ cat /etc/debian_version 9.11 And the affected servers are also: jko@ispc-web-01:~$ cat /etc/debian_version 9.11 Could this be an issue within pure-ftpd ??
Updated Debian now to: root@server1:~# uname -a Linux server1 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64 GNU/Linux root@server1:~# cat /etc/debian_version 9.11 and it still works, did even a restart. I guess pure-ftpd uses the password hashing and verification functions from Linux standard libs as most programs written in C/C++ do which should make it compatible with such hashes automatically. The pure-ftpd-mysql version on my system is the one that ships with Debian 9, the system is installed as described in the Debian 9 perfect server guides. One question: Did you test the ftp users and hashes yourself or did your users report it? Maybe the users used the wrong FTP username (without prefix)? And did you check that the password hash in the ftp_user table on the slave node is the same than the one on the master? pure-ftpd-mysql authentificates the user against the dbispconfig.ftp_user table on the local system slave).
We got a question of one of our users last night, who changed his FTP password, and called me. So what I did to reproduce: Try to login with the username and password, that he provided me. Not working. Try to login with the username and password I created. Not working Resync the FTP users to the machines, to make sure the users and passwords are in sync, login to both machines and check the ftp_user table, both master and other systems where the same, login failed. Not working. Removed the ftp user, and created a new one with a new password: Not working. Used your "commandline" option, put that in the master db, sync it, works. The pure-ftpd-mysql and pure-ftpd-common are version 1.0.43-3 No modifications are made, and installation has been performed as described in the Debian 9 best server, NGINX, Howtoforge docs.
