pure-ftpd-mysql passwords weird?

Discussion in 'ISPConfig 3 Priority Support' started by Haringstad, Oct 7, 2019.

  1. Haringstad

    Haringstad New Member HowtoForge Supporter

    I am a great supporter of ISPConfig, and I convince a lot of people to actually use it. But sometimes I do run into some issues myself. I don't know if this might be something on my end, or a bug, but since ISPConfig 3.1.15, pure-ftpd-mysql user passwords are (if created new, or changed) now prefixed with:
    $6$rounds=5000$967270 (string is longer, but prefixed with this)
    So, all existing passwords seem to work, but the ones reset, or newly created, do fail.
    Server is Debian 9, with PHP 7.0, and ISPConfig 3.1.15. The same server did run the 3.1.14 series perfectly, without issues with FTP users, and resetting their passwords.
    This is a showstopper.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Passwords are now hashed with crypt-sha256 instead of the old crypt-md5 for security reasons. I think Debian 9 should support this, but I'll do some tests.
     
    Haringstad likes this.
  3. Haringstad

    Haringstad New Member HowtoForge Supporter

    Till, thank you for your efforts! Is there any way that there is a workaround for this? By generating passwords by hand, and putting them in the DB manually?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You can create the password hashes with mkpasswd command:

    mkpasswd --method=md5 --stdin
     
    Haringstad likes this.
  5. Haringstad

    Haringstad New Member HowtoForge Supporter

    Great! THAT WORKS!!! Thank you! Fixing now the "broken" logins! You are great!
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I just tried to reproduce the issue on Debian 9 but it works here. Password hash generated by ISPConfig:

    $6$rounds=5000$e15ccc07e07d4dc4$SGmUxuwy4PItALBnZ3RRcjT5VLWFDKUWjJpcE9CcUVHHhc7MbH03sciANLXOmu0PFH3N302IRsavVE7hYGmQV1

    So the new sha hashing is in use. The Debian version is:

    root@server1:~# cat /etc/debian_version
    9.9

    Which is not even latest Debian 9. I'll insttall latest updates and test again, but I guess this makes no difference. Maybe your server is older than Debian 9?
     
  7. Haringstad

    Haringstad New Member HowtoForge Supporter

    Till, version of the master is:
    jko@portal:~$ cat /etc/debian_version
    9.11
    And the affected servers are also:
    jko@ispc-web-01:~$ cat /etc/debian_version
    9.11
    Could this be an issue within pure-ftpd ??
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Updated Debian now to:

    root@server1:~# uname -a
    Linux server1 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64 GNU/Linux
    root@server1:~# cat /etc/debian_version
    9.11

    and it still works, did even a restart. I guess pure-ftpd uses the password hashing and verification functions from Linux standard libs as most programs written in C/C++ do which should make it compatible with such hashes automatically.

    The pure-ftpd-mysql version on my system is the one that ships with Debian 9, the system is installed as described in the Debian 9 perfect server guides.

    One question: Did you test the ftp users and hashes yourself or did your users report it? Maybe the users used the wrong FTP username (without prefix)? And did you check that the password hash in the ftp_user table on the slave node is the same than the one on the master? pure-ftpd-mysql authentificates the user against the dbispconfig.ftp_user table on the local system slave).
     
  9. Haringstad

    Haringstad New Member HowtoForge Supporter

    We got a question of one of our users last night, who changed his FTP password, and called me. So what I did to reproduce:
    1. Try to login with the username and password, that he provided me. Not working.
    2. Try to login with the username and password I created. Not working
    3. Resync the FTP users to the machines, to make sure the users and passwords are in sync, login to both machines and check the ftp_user table, both master and other systems where the same, login failed. Not working.
    4. Removed the ftp user, and created a new one with a new password: Not working.
    5. Used your "commandline" option, put that in the master db, sync it, works.
    The pure-ftpd-mysql and pure-ftpd-common are version 1.0.43-3
    No modifications are made, and installation has been performed as described in the Debian 9 best server, NGINX, Howtoforge docs.
     

Share This Page