Hashed scrypt passwords with pure-ftpd

[anigma]

Lately I've been trying to set up pure-ftpd with virtual user support in MariaDB and hashed scrypt passwords. Has anyone else achieved this?

I hash the passwords in python 3.5 using the libsodium bindings (pysodium) as per instructed from the README.MySQL file (https://download.pureftpd.org/pub/pu...c/README.MySQL <- read the SCRYPT part).

I then store the hashed password in my users table, ie. "$7$C6..../....YzvCLmJDYJpH76BxlZB9fCpCEj2AbGQHoLiG9I/VRO1$/enQ.o1BNtmxjxNc/8hbZq8W0JAqR5YpufJXGAdzmf3".

However, I still get a 503 authentication failed response and syslogd does not really give any indication on where the fault lies. I've also enabled query logging to check wether pure-ftpd actually does it correct, and so far it looks good.

Any takes on what I could be doing wrong?

[LeFrettchen]

Hi and welcome

Not sure if you have seen this :

Quote:

If a MySQL user entry has a root (0) uid and/or gid, Pure-FTPd will refuse
to log them in.

You should check how yours passwords are stored, in /etc/pure-ftpd/db/mysql.conf : Valid values are "cleartext", "crypt", "sha1", "md5" and "password".

[anigma]

Quote:

Originally Posted by LeFrettchen

Hi and welcome

Much obliged!

I have actually not seen that in the docs. Good pointer! However, I usually define a default MySQL UID and GID (based on the values of the system user _mysql) in my pureftpd-mysql.conf file.

Quote:

Originally Posted by LeFrettchen

You should check how yours passwords are stored, in /etc/pure-ftpd/db/mysql.conf : Valid values are "cleartext", "crypt", "sha1", "md5" and "password".

You're missing scrypt in there as well. Take a look at https://download.pureftpd.org/pub/pu...c/README.MySQL - I'm currently working on a solution. I'll report back in a couple of days if it turns out to be helpful.

[LeFrettchen]

Quote:

Originally Posted by anigma

You're missing scrypt in there as well. Take a look at https://download.pureftpd.org/pub/pu...c/README.MySQL - I'm currently working on a solution. I'll report back in a couple of days if it turns out to be helpful.

Scrypt is a password-based encryption utility, not a valid value in a pure-ftpd config file.

It's possible to use scrypt to encrypt passwords, but in the configuration file, MYSQLCrypt must be defined as crypt.

[anigma]

Quote:

Originally Posted by LeFrettchen

It's possible to use scrypt to encrypt passwords, but in the configuration file, MYSQLCrypt must be defined as crypt.

I'm not so sure about that. I just checked the sample configuration file from /usr/local/share/examples/pure-ftpd/pureftpd-mysql.conf and there is as expected a value for scrypt as well.

Quote:

# Mandatory : how passwords are stored
# Valid values are : "cleartext", "scrypt", "crypt", "sha1", "md5", "password" and "any"
# ("password" = MySQL password() function, which is sha1(sha1(password)))

MYSQLCrypt scrypt

[anigma]

I managed to get it working now after a lot of debugging. For those of you that are struggling with the same, I have a couple of pointers.

1) Use the pysodium module with Python 2.x (NOT 3.x) to generate the hashed scrypt passwords. Pure-FTPd does not seem to support the format of the 3.x version.

ie.

Code:

[root@jigsaw ~]# python2.7 
Python 2.7.12 (default, Jul 25 2016, 16:14:54) 
[GCC 4.2.1 20070719 ] on openbsd6
Type "help", "copyright", "credits" or "license" for more information.
>>> import pysodium
>>> pysodium.crypto_pwhash_scryptsalsa208sha256_str('test', 1, 1)
'$7$/6.....6...jrxPc5U3f.gs28B7PBIWiQMdhREp2DSIyzH4I57pEF8$FVo7.JGG0/4GK8dahDn7SVdoOBllHgGMCVOoIs/6tM.'

2) As LeFrettchen pointed out earlier in the thread, watch out for the use of -u (--minuid) flag. If you define -u <UID> with rcctl or in a config file, then change MYSQLDefaultUID/GID accordingly.

Here is my current pureftpd-mysql.conf:

Code:

#MYSQLServer    localhost
#MYSQLPort			3306
MYSQLSocket			/var/www/var/run/mysql/mysql.sock
MYSQLUser				root
MYSQLPassword		<password>
MYSQLDatabase		pureftpd
MYSQLCrypt			scrypt
MYSQLGetPW			SELECT Password FROM users WHERE Username = '\L' AND Status = '1'
MYSQLGetDir			SELECT Directory FROM users WHERE Username = '\L' AND Status = '1'
MYSQLDefaultUID	642
MYSQLDefaultGID	642
#MYSQLGetUID		SELECT UID FROM users WHERE Username = '\L'
#MYSQLGetGID		SELECT GID FROM users WHERE Username = '\L'

And I have these flags enabled:

Code:

[root@jigsaw ~]# rcctl get pure_ftpd           
pure_ftpd_class=daemon
pure_ftpd_flags=-A -B -d -H -j -l mysql:/etc/pureftpd-mysql.conf -Y 2
pure_ftpd_rtable=0
pure_ftpd_timeout=30
pure_ftpd_user=root

I personally decided to not use the -u <UID> flag as I see no point to do so. I only have virtual users stored in a DB backend. So there are no user entries with a UID or GID equal to 0 (root).

[LeFrettchen]

OK, thanks for the sharing