search

Tvel / VsftpdWeb

VsftpdWeb is a simple web interface for vsftpd ftp server.
http://velkoff.net/vsftpdweb/
Other
39 stars 23 forks source link

MD5 Encryption #6

Open SodaqMoja opened 10 years ago

SodaqMoja commented 10 years ago

In the install_readme folder we find an example pak file in which you use:

crypt=2

according to the PAM manual crypt settings are:

2 (or "mysql") = Use MySQL PASSWORD() function. It is possible that the encryption function used by pam-mysql is different from that of the MySQL server, as pam-mysql uses the function defined in MySQL's C-client API instead of using PASSWORD() SQL function in the query.
3 (or "md5") = Use MySQL MD5() function

in the file

users_model.php

I found that you use MD5 to encrypt.

As a result in my Ubuntu 12.0 LTS it doesn't work.

When I change my pam config to crypt=3, I get:

pam_mysql - non-crypt()ish MD5 hash is not supported in this build.

as a result I changed back to crypt=2 but I changed these two lines in users_model.php:

$q="INSERT INTO accounts (username, password, perm) VALUES ( '".$this->input->post('user')."', PASSWORD('".$this->input->post('upass')."'), 'r' ) ;";
$q="UPDATE accounts SET password = PASSWORD('$pass') WHERE id = '$id';";

Any thoughts from your end?

Tvel commented 10 years ago

I'm sorry for the trouble.

the fix seems correct, later today I will review it to make sure PASSWORD() is used on all places.

Tvel commented 10 years ago

Changes are updated.

In the future there will be a setting to configure plain text, password or md5 in the web interface for the database.

SodaqMoja commented 10 years ago

Nice!

On Wed, Feb 12, 2014 at 2:31 PM, Tosil Velkoff notifications@github.comwrote:

Changes are updated.

In the future there will be a setting to configure plain text, password or md5 in the web interface for the database.

Reply to this email directly or view it on GitHubhttps://github.com/Tvel/VsftpdWeb/issues/6#issuecomment-34868462 .

Tvel commented 10 years ago

You didn't miss anything, so updating is not necessary.

zbuttram commented 6 years ago

Just a note for anyone coming along later, this does appear to still be an issue in master.

Can be fixed by:

Setting crypt value in /etc/pam.d/vsftpd to 2 instead of 3

AND

Changing MD5 on lines 70 and 159 in users_model.php (as of current master) to PASSWORD.

Note that I was also unable to use the pam_mysql version available in the default Ubuntu repos, and had to build the v0.8.x branch of https://github.com/NigelCunningham/pam-MySQL from source.

If I get some free time I'll fork and pull request.

Tvel commented 6 years ago

Hi, I remember some systems had problems with PASSWORD. If it works fine with the linked pam-mysql make a request and I will merge it.