Programmatically Create User Account

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
vphothisan
500 Command not understood
Posts: 3
Joined: 2016-02-11 02:49
First name: Vilasack
Last name: Phothisan

Programmatically Create User Account

#1 Post by vphothisan » 2016-02-11 03:09

I saw a few documentation / conversation about how to create User Account programmatically by editing the FileZilla Server.xml file.

I did this along with issuing th e/reload-config. Everything works find except the password is invalid. I use MD5 hashing example and it looks correct. BUt I noticed that in the new version of FZS there is a "Salt" field in the user element.

What is this "Salt" and how do I populate it? Is it still possible to programmatically create a user account programmatically? Is there an API for C#?

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Programmatically Create User Account

#2 Post by botg » 2016-02-11 08:17

There's no API.

Each time a password is hashed, a new random salt is chosen for that password. The hex encoded sha512 hash of the password concatenated with the random salt is then stored in the XML file.

You could simply adjust your script or program to generate a new salt (salts must not be re-used) and hash the password together with it using SHA512. As salt any non-empty random string would work, I suggest at least 128 bits of entropy.

vphothisan
500 Command not understood
Posts: 3
Joined: 2016-02-11 02:49
First name: Vilasack
Last name: Phothisan

Re: Programmatically Create User Account

#3 Post by vphothisan » 2016-02-11 15:06

password = "12345";
salt = "somelongstring6172617261";

result = ComputeSHA512(password + salt);

is it something like that?

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Programmatically Create User Account

#4 Post by botg » 2016-02-11 15:41

Yup.

vphothisan
500 Command not understood
Posts: 3
Joined: 2016-02-11 02:49
First name: Vilasack
Last name: Phothisan

Re: Programmatically Create User Account

#5 Post by vphothisan » 2016-02-11 15:58

Just to confirm the changes. In the older version of FZS, it uses MD5 hash only without the salt? v 0.9.53

Now we need to provide a SALT and hash it up with SHA512? (v0.9.55 BETA)

Are there any rules like the password hash must be base64 or all uppercase?

Looking at the FileZilla Server.xml, it looks like the "Pass" value is all uppercase. Is that just a coincidence?

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Programmatically Create User Account

#6 Post by botg » 2016-02-11 16:33

The XML contains the hex representation of the SHA512 hash. Should be written using uppercase letters.

For the salt, all printable ASCII characters are allowed.

alexellul
500 Command not understood
Posts: 2
Joined: 2016-02-22 14:09
First name: Alex
Last name: Ellul

Re: Programmatically Create User Account

#7 Post by alexellul » 2016-02-22 14:17

I have the same problem with the creation of new FTP users. When creating a user with the filezilla interface, it is generating a salt and eventually a user password(sha512).

Yet, when generating an SHA512 hash with an online generator using the same salt and password used to create the user, the online-encrypted password and the XML password (Generated when created the user from the GUI) won't match. I am trying to create a user from a powershell command by adding the requested values in the XML file, however I cannot login due to this.

Any idea what could be the issue?

Thanks

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Programmatically Create User Account

#8 Post by botg » 2016-02-22 15:19

Tried two random online sha512 converters. Getting the same correct results everywhere.

If your password contains non-ASCII characters, make sure it is UTF-8 encoded.

alexellul
500 Command not understood
Posts: 2
Joined: 2016-02-22 14:09
First name: Alex
Last name: Ellul

Re: Programmatically Create User Account

#9 Post by alexellul » 2016-02-22 15:48

Created a user with filezilla interface for user alex with a password test123;

Password - test123
Generated salt - Ot0(]eaRu"L,IUDL({aiEzRFX8]e^lN>l{.'(J.9Ha`g4&d3u^WKN05hYJpWB>lN
Generated Pass - 17CB25A29701B282650381745AB9F09BB6EF90B48FB6EA700A7C3B8F22C59086E8893ECB389E59D4D7933E5E79589D7C83A6B4902D11292E7449654D562F8C1D

when generating the same password with an online tool, it returns - 3496fe72ab252d9bd983351e246b7d8f5c274d975d4de340edef15251c6665c790c15170653c457eaab013f0a9c069be2ab6bd3471f224c5772d9c133b0db467 (also attached a print screen of the generated values)
Attachments
Generated passwords
Generated passwords
generated SHA512.png (325.39 KiB) Viewed 28327 times

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Programmatically Create User Account

#10 Post by botg » 2016-02-22 15:55

Generated salt - Ot0(]eaRu"L,IUDL({aiEzRFX8]e^lN>l{.'(J.9Ha`g4&d3u^WKN05hYJpWB>lN
That's not a generated salt. FileZilla Server generates salts that are exactly 64 characters long.

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Programmatically Create User Account

#11 Post by botg » 2016-02-24 09:21

Ponder the difference between a textual representation of an XML file and the data it actually contains.

jesperjuulholm
500 Command not understood
Posts: 1
Joined: 2016-06-06 10:48
First name: Jesper
Last name: Holm

Re: Programmatically Create User Account

#12 Post by jesperjuulholm » 2016-06-06 11:04

This thread helped me solve my problem with creating FileZilla users automatically in PHP, but I only made it work after looking into the source code of FileZilla server.

So I thought I wanted to share the code snippet that did the magic for me:

Code: Select all

$seed = str_split("!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~");
shuffle($seed);
$rand = '';

foreach (array_rand($seed, 64) as $k) {
        $rand .= $seed[$k];
}

$passwd = "your_password";
    
$salt_raw = utf8_encode($rand);
$salt_html = htmlentities($salt_raw);
$passwd = utf8_encode($passwd);
$salted_password = $passwd . $salt_raw;
$encoded_password = strtoupper(hash('SHA512', $salted_password)); 

// $salt_html goes into <Option Name="Salt">
// $encoded_password goes into <Option Name="Pass">

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Programmatically Create User Account

#13 Post by botg » 2016-06-06 13:19

Do not use PHP's shuffle function, it does not use cryptographically secure random numbers.

Do not use PHP's array_rand function, it does not use cryptographically secure random numbers.

trueloeque
504 Command not implemented
Posts: 6
Joined: 2016-08-08 08:46

Re: Programmatically Create User Account

#14 Post by trueloeque » 2016-08-08 08:55

Hi Admin,

Filezilla server version: 0.9.57 (the last available)

The generated salt lenght by Filezilla Interface is variable is not fixed to 64 characters.

Using the following powershell script to compute sha512 pass (pass+salt) the authentication doesn't work, and the resultant sha512 pass by this script matches with online conversors but not with Filezilla sha512.

https://gallery.technet.microsoft.com/s ... h-aa843f71
Function Get-StringHash([String] $String,$HashName = "MD5")
{
$StringBuilder = New-Object System.Text.StringBuilder
[System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{
[Void]$StringBuilder.Append($_.ToString("x2"))
}
$StringBuilder.ToString()
}

trueloeque
504 Command not implemented
Posts: 6
Joined: 2016-08-08 08:46

Re: Programmatically Create User Account

#15 Post by trueloeque » 2016-08-08 10:00

In addition, if I create a user from Filezilla interface, and I use the salt generated like my salt, then when I call the Get-StringHash powershell function with the string "Clear_password+Salt" the encrypted password will be different from the generted encrypted password by Filezilla Interface.
So that, I think the string parameter (Clear_password+Salt) has to be different for getting the final encrypted password.¿?
Last edited by trueloeque on 2016-08-08 14:33, edited 1 time in total.

Post Reply