FileZilla Forums

I saw a few documentation / conversation about how to create User Account programmatically by editing the FileZilla Server.xml file.

I did this along with issuing th e/reload-config. Everything works find except the password is invalid. I use MD5 hashing example and it looks correct. BUt I noticed that in the new version of FZS there is a "Salt" field in the user element.

What is this "Salt" and how do I populate it? Is it still possible to programmatically create a user account programmatically? Is there an API for C#?

There's no API.

Each time a password is hashed, a new random salt is chosen for that password. The hex encoded sha512 hash of the password concatenated with the random salt is then stored in the XML file.

You could simply adjust your script or program to generate a new salt (salts must not be re-used) and hash the password together with it using SHA512. As salt any non-empty random string would work, I suggest at least 128 bits of entropy.

password = "12345";
salt = "somelongstring6172617261";

result = ComputeSHA512(password + salt);

is it something like that?

Yup.

Just to confirm the changes. In the older version of FZS, it uses MD5 hash only without the salt? v 0.9.53

Now we need to provide a SALT and hash it up with SHA512? (v0.9.55 BETA)

Are there any rules like the password hash must be base64 or all uppercase?

Looking at the FileZilla Server.xml, it looks like the "Pass" value is all uppercase. Is that just a coincidence?

The XML contains the hex representation of the SHA512 hash. Should be written using uppercase letters.

For the salt, all printable ASCII characters are allowed.

I have the same problem with the creation of new FTP users. When creating a user with the filezilla interface, it is generating a salt and eventually a user password(sha512).

Yet, when generating an SHA512 hash with an online generator using the same salt and password used to create the user, the online-encrypted password and the XML password (Generated when created the user from the GUI) won't match. I am trying to create a user from a powershell command by adding the requested values in the XML file, however I cannot login due to this.

Any idea what could be the issue?

Thanks

Tried two random online sha512 converters. Getting the same correct results everywhere.

If your password contains non-ASCII characters, make sure it is UTF-8 encoded.

Created a user with filezilla interface for user alex with a password test123;

Password - test123
Generated salt - Ot0(]eaRu"L,IUDL({aiEzRFX8]e^lN>l{.'(J.9Ha`g4&d3u^WKN05hYJpWB>lN
Generated Pass - 17CB25A29701B282650381745AB9F09BB6EF90B48FB6EA700A7C3B8F22C59086E8893ECB389E59D4D7933E5E79589D7C83A6B4902D11292E7449654D562F8C1D

when generating the same password with an online tool, it returns - 3496fe72ab252d9bd983351e246b7d8f5c274d975d4de340edef15251c6665c790c15170653c457eaab013f0a9c069be2ab6bd3471f224c5772d9c133b0db467 (also attached a print screen of the generated values)

Generated salt - Ot0(]eaRu"L,IUDL({aiEzRFX8]e^lN>l{.'(J.9Ha`g4&d3u^WKN05hYJpWB>lN

That's not a generated salt. FileZilla Server generates salts that are exactly 64 characters long.

Ponder the difference between a textual representation of an XML file and the data it actually contains.

This thread helped me solve my problem with creating FileZilla users automatically in PHP, but I only made it work after looking into the source code of FileZilla server.

So I thought I wanted to share the code snippet that did the magic for me:

Do not use PHP's shuffle function, it does not use cryptographically secure random numbers.

Do not use PHP's array_rand function, it does not use cryptographically secure random numbers.

Hi Admin,

Filezilla server version: 0.9.57 (the last available)

The generated salt lenght by Filezilla Interface is variable is not fixed to 64 characters.

Using the following powershell script to compute sha512 pass (pass+salt) the authentication doesn't work, and the resultant sha512 pass by this script matches with online conversors but not with Filezilla sha512.

https://gallery.technet.microsoft.com/s ... h-aa843f71
Function Get-StringHash([String] $String,$HashName = "MD5")
{
$StringBuilder = New-Object System.Text.StringBuilder
[System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{
[Void]$StringBuilder.Append($_.ToString("x2"))
}
$StringBuilder.ToString()
}

In addition, if I create a user from Filezilla interface, and I use the salt generated like my salt, then when I call the Get-StringHash powershell function with the string "Clear_password+Salt" the encrypted password will be different from the generted encrypted password by Filezilla Interface.
So that, I think the string parameter (Clear_password+Salt) has to be different for getting the final encrypted password.¿?