将密码哈希从 glftpd 2.01 (PKCS5_PBKDF2_HMAC_SHA1) 迁移到 proftpd + mod_sql_passwd

tag-icon tag-icon mysql ftp migration proftpd
将密码哈希从 glftpd 2.01 (PKCS5_PBKDF2_HMAC_SHA1) 迁移到 proftpd + mod_sql_passwd

为了从事实上的闭源 glftpd 2.01 迁移到 proftpd,我需要将用户帐户的密码哈希从 glftpd 迁移到 proftpd。阅读有关该主题的内容后,我认为 mod_sql_passwd 应该可以解决问题。

因此我像这样设置了我的 proftpd 服务器:

<global>
    SQLBackend              mysql
    SQLAuthTypes            Crypt
    SQLAuthenticate         users groups

    SQLConnectInfo  testdbuser@testdbhost testdb

    SQLUserInfo     ftpuser userid passwd uid gid homedir shell
    SQLGroupInfo    ftpgroup groupname gid members
    SQLMinID        500
    CreateHome on

[...]

    RootLogin off
    RequireValidShell off
    DefaultRoot ~
</global>

DefaultServer                   off
ServerType                      standalone

<VirtualHost 0.0.0.0>
    Port 21
    PassivePorts 10000 10250
    MasqueradeAddress 123.123.123.123

    SQLAuthTypes pbkdf2
    SQLPasswordPBKDF2 sha1 100 40

    SQLNamedQuery get-user-salt SELECT "salt FROM ftpuser WHERE userid = '%{0}'"
    SQLPasswordUserSalt sql:/get-user-salt Prepend
</VirtualHost>

glftpd 密码中的哈希值如下所示:

$7e8ab0c7$bf044082ab83875eeb3a2158cd6253f8e88f40cf

数据库如下所示(CSV 表示):

"id","userid","passwd","salt","uid","gid","homedir","shell","count","accessed","modified"
"1","test","bf044082ab83875eeb3a2158cd6253f8e88f40cf","7e8ab0c7","5500","5500","/data/test","/sbin/nologin","20","2020-03-31 20:02:45","2020-03-25 16:30:49"

到目前为止的所有配置结果为:

USER test (Login failed): No such user found

事实上,当用户存在时,通过将哈希值更改为 Crypt() Bcrypt 样式的哈希值,登录即可成功。

疑问/问题:

  • 目前尚不清楚 glftpd 的哈希值使用了多少次迭代,从 glftpd 提供的少量源代码中可以得出迭代值为 100
  • 目前还不清楚是否应该在盐值和哈希值前面加上美元符号
  • proftpd 的 DebugLevel 为 10,除了“用户测试(登录失败):未找到该用户”之外没有其他信息,但是,使用正常的 Crypt() Bcrypt 类型哈希,它可以完美运行(参见配置顶部)
  • 目前还不清楚 glftpd 2.01 哈希是如何构造的,我尝试了SQLPasswordOptions HashPassword HashSalt看起来最合乎逻辑的,但没有成功 [²]

如果有人做过类似的任务,并且有这种迁移的经验,那就太好了。也欢迎提供有助于解决此问题的其他线索。

[¹]https://glftpd.io/files/glftpd-LNX_2.01.tgz(bin/sources/PassChk/passhk.c)glftpd 2.01“passchk.c”:

    PKCS5_PBKDF2_HMAC_SHA1(pwd, strlen(pwd), real_salt, SHA_SALT_LEN, 100,
               mdlen, md);

[²]http://www.proftpd.org/docs/contrib/mod_sql_passwd.html#Transformations

答案1

解决:

<global>
    SQLBackend              mysql
    SQLAuthTypes            Crypt
    SQLAuthenticate         users groups

    SQLConnectInfo  testdbuser@testdbhost testdb

    SQLUserInfo     ftpuser userid passwd uid gid homedir shell
    SQLGroupInfo    ftpgroup groupname gid members
    SQLMinID        500
    CreateHome on

[...]

    RootLogin off
    RequireValidShell off
    DefaultRoot ~
</global>

DefaultServer                   off
ServerType                      standalone
Port 0

<VirtualHost 0.0.0.0>
    Port 21
    PassivePorts 10000 10250
    MasqueradeAddress 123.123.123.123

    SQLPasswordEngine on

    SQLAuthTypes pbkdf2
    SQLPasswordPBKDF2 sha1 100 20

    SQLNamedQuery get-user-salt SELECT "salt FROM ftpuser WHERE userid = '%{0}'"
    SQLPasswordUserSalt sql:/get-user-salt Prepend

    SQLPasswordEncoding hex
    SQLPasswordSaltEncoding hex

    SQLPasswordOptions HashEncodeSalt HashEncodePassword
</VirtualHost>

必须

  • 定义小写字符十六进制SQLPasswordEncoding编码SQLPasswordSaltEncoding
  • 将输出长度从 40 字节更正为 20 字节SQLPasswordPBKDF2
  • 添加SQLPasswordOptions指示模块首先解码十六进制值,然后使用哈希值
  • 启用SQLPasswordEngine

相关内容