DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th January 2017
anigma anigma is offline
New User
 
Join Date: Jan 2017
Posts: 4
Default Hashed scrypt passwords with pure-ftpd

Lately I've been trying to set up pure-ftpd with virtual user support in MariaDB and hashed scrypt passwords. Has anyone else achieved this?

I hash the passwords in python 3.5 using the libsodium bindings (pysodium) as per instructed from the README.MySQL file (https://download.pureftpd.org/pub/pu...c/README.MySQL <- read the SCRYPT part).

I then store the hashed password in my users table, ie. "$7$C6..../....YzvCLmJDYJpH76BxlZB9fCpCEj2AbGQHoLiG9I/VRO1$/enQ.o1BNtmxjxNc/8hbZq8W0JAqR5YpufJXGAdzmf3".

However, I still get a 503 authentication failed response and syslogd does not really give any indication on where the fault lies. I've also enabled query logging to check wether pure-ftpd actually does it correct, and so far it looks good.

Any takes on what I could be doing wrong?
Reply With Quote
  #2   (View Single Post)  
Old 13th January 2017
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: Bronvaux, France
Posts: 255
Default

Hi and welcome

Not sure if you have seen this :
Quote:
If a MySQL user entry has a root (0) uid and/or gid, Pure-FTPd will refuse
to log them in.

You should check how yours passwords are stored, in /etc/pure-ftpd/db/mysql.conf : Valid values are "cleartext", "crypt", "sha1", "md5" and "password".
__________________
The secret of wisdom is not wisdom itself, it's the road that leads us there.
Reply With Quote
  #3   (View Single Post)  
Old 17th January 2017
anigma anigma is offline
New User
 
Join Date: Jan 2017
Posts: 4
Default

Quote:
Originally Posted by LeFrettchen View Post
Hi and welcome
Much obliged!

I have actually not seen that in the docs. Good pointer! However, I usually define a default MySQL UID and GID (based on the values of the system user _mysql) in my pureftpd-mysql.conf file.

Quote:
Originally Posted by LeFrettchen View Post
You should check how yours passwords are stored, in /etc/pure-ftpd/db/mysql.conf : Valid values are "cleartext", "crypt", "sha1", "md5" and "password".
You're missing scrypt in there as well. Take a look at https://download.pureftpd.org/pub/pu...c/README.MySQL - I'm currently working on a solution. I'll report back in a couple of days if it turns out to be helpful.
Reply With Quote
  #4   (View Single Post)  
Old 17th January 2017
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: Bronvaux, France
Posts: 255
Default

Quote:
Originally Posted by anigma View Post
You're missing scrypt in there as well. Take a look at https://download.pureftpd.org/pub/pu...c/README.MySQL - I'm currently working on a solution. I'll report back in a couple of days if it turns out to be helpful.
Scrypt is a password-based encryption utility, not a valid value in a pure-ftpd config file.

It's possible to use scrypt to encrypt passwords, but in the configuration file, MYSQLCrypt must be defined as crypt.
__________________
The secret of wisdom is not wisdom itself, it's the road that leads us there.
Reply With Quote
  #5   (View Single Post)  
Old 17th January 2017
anigma anigma is offline
New User
 
Join Date: Jan 2017
Posts: 4
Default

Quote:
Originally Posted by LeFrettchen View Post
It's possible to use scrypt to encrypt passwords, but in the configuration file, MYSQLCrypt must be defined as crypt.
I'm not so sure about that. I just checked the sample configuration file from /usr/local/share/examples/pure-ftpd/pureftpd-mysql.conf and there is as expected a value for scrypt as well.

Quote:
# Mandatory : how passwords are stored
# Valid values are : "cleartext", "scrypt", "crypt", "sha1", "md5", "password" and "any"
# ("password" = MySQL password() function, which is sha1(sha1(password)))

MYSQLCrypt scrypt

Last edited by anigma; 18th January 2017 at 05:20 PM.
Reply With Quote
  #6   (View Single Post)  
Old 18th January 2017
anigma anigma is offline
New User
 
Join Date: Jan 2017
Posts: 4
Default

I managed to get it working now after a lot of debugging. For those of you that are struggling with the same, I have a couple of pointers.

1) Use the pysodium module with Python 2.x (NOT 3.x) to generate the hashed scrypt passwords. Pure-FTPd does not seem to support the format of the 3.x version.

ie.
Code:
[root@jigsaw ~]# python2.7 
Python 2.7.12 (default, Jul 25 2016, 16:14:54) 
[GCC 4.2.1 20070719 ] on openbsd6
Type "help", "copyright", "credits" or "license" for more information.
>>> import pysodium
>>> pysodium.crypto_pwhash_scryptsalsa208sha256_str('test', 1, 1)
'$7$/6.....6...jrxPc5U3f.gs28B7PBIWiQMdhREp2DSIyzH4I57pEF8$FVo7.JGG0/4GK8dahDn7SVdoOBllHgGMCVOoIs/6tM.'
2) As LeFrettchen pointed out earlier in the thread, watch out for the use of -u (--minuid) flag. If you define -u <UID> with rcctl or in a config file, then change MYSQLDefaultUID/GID accordingly.

Here is my current pureftpd-mysql.conf:
Code:
#MYSQLServer    localhost
#MYSQLPort			3306
MYSQLSocket			/var/www/var/run/mysql/mysql.sock
MYSQLUser				root
MYSQLPassword		<password>
MYSQLDatabase		pureftpd
MYSQLCrypt			scrypt
MYSQLGetPW			SELECT Password FROM users WHERE Username = '\L' AND Status = '1'
MYSQLGetDir			SELECT Directory FROM users WHERE Username = '\L' AND Status = '1'
MYSQLDefaultUID	642
MYSQLDefaultGID	642
#MYSQLGetUID		SELECT UID FROM users WHERE Username = '\L'
#MYSQLGetGID		SELECT GID FROM users WHERE Username = '\L'
And I have these flags enabled:
Code:
[root@jigsaw ~]# rcctl get pure_ftpd           
pure_ftpd_class=daemon
pure_ftpd_flags=-A -B -d -H -j -l mysql:/etc/pureftpd-mysql.conf -Y 2
pure_ftpd_rtable=0
pure_ftpd_timeout=30
pure_ftpd_user=root
I personally decided to not use the -u <UID> flag as I see no point to do so. I only have virtual users stored in a DB backend. So there are no user entries with a UID or GID equal to 0 (root).
Reply With Quote
  #7   (View Single Post)  
Old 18th January 2017
LeFrettchen's Avatar
LeFrettchen LeFrettchen is offline
Marveled user
 
Join Date: Aug 2012
Location: Bronvaux, France
Posts: 255
Default

OK, thanks for the sharing
__________________
The secret of wisdom is not wisdom itself, it's the road that leads us there.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD ftpd FTP/TLS FrankieKat OpenBSD Security 3 21st November 2013 12:09 AM
New tool on the block - scrypt s0xxx FreeBSD Security 2 21st May 2009 07:48 AM
Running Pure 64-Bits On FreeBSD. MetalHead FreeBSD General 4 21st October 2008 04:59 AM
ftpd problem narcotico FreeBSD General 3 11th July 2008 03:08 AM
pure-ftpd hirohitosan FreeBSD Ports and Packages 3 10th June 2008 06:31 PM


All times are GMT. The time now is 05:55 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick