为了从事实上的闭源 glftpd 2.01 迁移到 proftpd,我需要将用户帐户的密码哈希从 glftpd 迁移到 proftpd。阅读有关该主题的内容后,我认为 mod_sql_passwd 应该可以解决问题。
因此我像这样设置了我的 proftpd 服务器:
<global>
SQLBackend mysql
SQLAuthTypes Crypt
SQLAuthenticate users groups
SQLConnectInfo testdbuser@testdbhost testdb
SQLUserInfo ftpuser userid passwd uid gid homedir shell
SQLGroupInfo ftpgroup groupname gid members
SQLMinID 500
CreateHome on
[...]
RootLogin off
RequireValidShell off
DefaultRoot ~
</global>
DefaultServer off
ServerType standalone
<VirtualHost 0.0.0.0>
Port 21
PassivePorts 10000 10250
MasqueradeAddress 123.123.123.123
SQLAuthTypes pbkdf2
SQLPasswordPBKDF2 sha1 100 40
SQLNamedQuery get-user-salt SELECT "salt FROM ftpuser WHERE userid = '%{0}'"
SQLPasswordUserSalt sql:/get-user-salt Prepend
</VirtualHost>
glftpd 密码中的哈希值如下所示:
$7e8ab0c7$bf044082ab83875eeb3a2158cd6253f8e88f40cf
数据库如下所示(CSV 表示):
"id","userid","passwd","salt","uid","gid","homedir","shell","count","accessed","modified"
"1","test","bf044082ab83875eeb3a2158cd6253f8e88f40cf","7e8ab0c7","5500","5500","/data/test","/sbin/nologin","20","2020-03-31 20:02:45","2020-03-25 16:30:49"
到目前为止的所有配置结果为:
USER test (Login failed): No such user found
事实上,当用户存在时,通过将哈希值更改为 Crypt() Bcrypt 样式的哈希值,登录即可成功。
疑问/问题:
- 目前尚不清楚 glftpd 的哈希值使用了多少次迭代,从 glftpd 提供的少量源代码中可以得出迭代值为 100
- 目前还不清楚是否应该在盐值和哈希值前面加上美元符号
- proftpd 的 DebugLevel 为 10,除了“用户测试(登录失败):未找到该用户”之外没有其他信息,但是,使用正常的 Crypt() Bcrypt 类型哈希,它可以完美运行(参见配置顶部)
- 目前还不清楚 glftpd 2.01 哈希是如何构造的,我尝试了
SQLPasswordOptions HashPassword HashSalt
看起来最合乎逻辑的,但没有成功 [²]
如果有人做过类似的任务,并且有这种迁移的经验,那就太好了。也欢迎提供有助于解决此问题的其他线索。
[¹]https://glftpd.io/files/glftpd-LNX_2.01.tgz(bin/sources/PassChk/passhk.c)glftpd 2.01“passchk.c”:
PKCS5_PBKDF2_HMAC_SHA1(pwd, strlen(pwd), real_salt, SHA_SALT_LEN, 100,
mdlen, md);
[²]http://www.proftpd.org/docs/contrib/mod_sql_passwd.html#Transformations
答案1
解决:
<global>
SQLBackend mysql
SQLAuthTypes Crypt
SQLAuthenticate users groups
SQLConnectInfo testdbuser@testdbhost testdb
SQLUserInfo ftpuser userid passwd uid gid homedir shell
SQLGroupInfo ftpgroup groupname gid members
SQLMinID 500
CreateHome on
[...]
RootLogin off
RequireValidShell off
DefaultRoot ~
</global>
DefaultServer off
ServerType standalone
Port 0
<VirtualHost 0.0.0.0>
Port 21
PassivePorts 10000 10250
MasqueradeAddress 123.123.123.123
SQLPasswordEngine on
SQLAuthTypes pbkdf2
SQLPasswordPBKDF2 sha1 100 20
SQLNamedQuery get-user-salt SELECT "salt FROM ftpuser WHERE userid = '%{0}'"
SQLPasswordUserSalt sql:/get-user-salt Prepend
SQLPasswordEncoding hex
SQLPasswordSaltEncoding hex
SQLPasswordOptions HashEncodeSalt HashEncodePassword
</VirtualHost>
必须
- 定义小写字符十六进制
SQLPasswordEncoding
编码SQLPasswordSaltEncoding
- 将输出长度从 40 字节更正为 20 字节
SQLPasswordPBKDF2
- 添加
SQLPasswordOptions
指示模块首先解码十六进制值,然后使用哈希值 - 启用
SQLPasswordEngine