FileZilla Server 1.4.1: Adding users programmatically

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
gianluca.pinoli
500 Command not understood
Posts: 3
Joined: 2022-06-08 16:09
First name: GIANLUCA
Last name: PINOLI

FileZilla Server 1.4.1: Adding users programmatically

#1 Post by gianluca.pinoli » 2022-06-08 16:39

Hi,
I'm trying to find a way to add users to users.xml, although is quite simple create a User node, i've some problem creating HASH for the password.
I know there are many topic about this argument, but they seem to refer to the older versione of filezilla (0.9.x)

in filezilla server 1.4.1 creating a new user with the GUI, reading Users.XML, i can find somwthing like that:

...
<password index="1">
<hash>17zJM5wwWu99f/EiOGg5gdy9xA+1Os+2UolVPJ8lPIs</hash>
<salt>UNu88mu6vV0AiNptC/6SHbz/hD6GvUo4GtRg706E3gs</salt>
<iterations>100000</iterations>
</password>
...

I understand salt is a ramdom string, but how retrieve hash value?

In some topics in this forum I can find out tha the way is like:
password = "12345";
salt = "somelongstring6172617261";
result = SHA512(password + salt);

but both hash and salt seem to have a lenght of 64 char while in my users.xml file they are 43.

I've also tryed whith filezilla-server-crypt.exe, but since version 1.3 stdin seem to be involved.

Anyone have some suggestion?

Best regards
Gianluca Pinoli

User avatar
oibaf
Contributor
Posts: 396
Joined: 2021-07-16 21:02
First name: Fabio
Last name: Alemagna

Re: FileZilla Server 1.4.1: Adding users programmatically

#2 Post by oibaf » 2022-06-08 20:51

filezilla-server-crypt has been changed so to get the password to hash from the standard input, for security reasons. Just follow what's written at the following link, but instead of passing the password as a parameter feed it in through stdin: viewtopic.php?f=6&t=54267&p=178461&hili ... pt#p178461

gianluca.pinoli
500 Command not understood
Posts: 3
Joined: 2022-06-08 16:09
First name: GIANLUCA
Last name: PINOLI

Re: FileZilla Server 1.4.1: Adding users programmatically

#3 Post by gianluca.pinoli » 2022-06-09 16:23

Is this the only way?
I'm trying to achievi it as a service, but I think this will not be possible...

Regards
Gianluca

User avatar
oibaf
Contributor
Posts: 396
Joined: 2021-07-16 21:02
First name: Fabio
Last name: Alemagna

Re: FileZilla Server 1.4.1: Adding users programmatically

#4 Post by oibaf » 2022-06-09 21:02

The password is hashed using pbkdf2 with hmac_sha256, then base64-encoded without padding, together with the random salt. Any tool able to do that is good for the occasion.

gianluca.pinoli
500 Command not understood
Posts: 3
Joined: 2022-06-08 16:09
First name: GIANLUCA
Last name: PINOLI

Re: FileZilla Server 1.4.1: Adding users programmatically

#5 Post by gianluca.pinoli » 2022-06-10 13:58

Thank you very much.
It works for me.

Regards
Gianluca

yomps
500 Command not understood
Posts: 1
Joined: 2022-09-01 13:57
First name: T
Last name: P

Re: FileZilla Server 1.4.1: Adding users programmatically

#6 Post by yomps » 2022-09-01 13:59

Can you share how you got this working?

We're trying to automatically generate hashed passwords with a salt for version 1.5.1 of Filezilla Server.

Thanks

jwang
500 Command not understood
Posts: 1
Joined: 2022-10-02 01:09
First name: Jack
Last name: Wang

Re: FileZilla Server 1.4.1: Adding users programmatically

#7 Post by jwang » 2022-10-02 01:16

I also got the same problem.

Code: Select all

key = hashlib.pbkdf2_hmac(
    'SHA256', # The hash digest algorithm for HMAC
    password.encode('utf-8'), # Convert the password to bytes
    salt.encode('utf-8'), # Provide the salt
    100000 # It is recommended to use at least 100,000 iterations of SHA-256,
)
Try to use python to generate hash, however i'm getting hex not the hash like what I saw like below:

Code: Select all

C:\Program Files\FileZilla Server>filezilla-server-crypt test3
test
--test3@index=1 --test3.hash=cSEuk+yFGgWzSYV2hYyt2tE51SDq6p8YKqUdhBttCf0 --test3.salt=t6xJFWEVmhyX1ZTImoloLVoldPFvHIy5wCL4wm8mat4 --test3.iterations=100000
How can I get the 43 length of string based on the hash returned from pbkdf2_hmac?

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: FileZilla Server 1.4.1: Adding users programmatically

#8 Post by boco » 2022-10-02 08:22

Did you base64-encode your result? See three posts above yours.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

adesh7
504 Command not implemented
Posts: 6
Joined: 2024-03-07 10:50
First name: Adesh
Last name: R

Re: FileZilla Server 1.4.1: Adding users programmatically

#9 Post by adesh7 » 2024-03-07 10:55

Hi,

I am facing issue with version 1.8.1

I want to create user programmatically using php

my code is:
$iterations = 100000;
$salt = "GjnbiA3xutwGIfvD8jL9/d12c7JAm6x0sN/57b97iz0";
$hashedPassword = hash_pbkdf2("sha256", $password, hex2bin($salt), $iterations, 0, true);
$hashed_password = rtrim(base64_encode($hashedPassword), '=');

still password hash created with above code not accepted.

tried with random salt also.


Can anyone help with this please.

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FileZilla Server 1.4.1: Adding users programmatically

#10 Post by botg » 2024-03-07 12:16

You must use random salt, do not use static salt.

adesh7
504 Command not implemented
Posts: 6
Joined: 2024-03-07 10:50
First name: Adesh
Last name: R

Re: FileZilla Server 1.4.1: Adding users programmatically

#11 Post by adesh7 » 2024-03-12 10:48

Hi,

Thanks for the reply.

I tried random salt too. Still not able to log in using that user.

I also tried with salt generated by the Filezilla server with the same password, but hashed passwords are different from mine and the Filezilla server with the same password string and salt

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FileZilla Server 1.4.1: Adding users programmatically

#12 Post by botg » 2024-03-12 15:20

In your provided example, what is the salt being used?

adesh7
504 Command not implemented
Posts: 6
Joined: 2024-03-07 10:50
First name: Adesh
Last name: R

Re: FileZilla Server 1.4.1: Adding users programmatically

#13 Post by adesh7 » 2024-03-14 05:12

This salt is used for checking hashed password matches or not

This salt is generated by filezilla server while adding user using admin interface

$salt = bin2hex(random_bytes(22));
$salt = substr($salt, 0, 43);

Before that i am using above code to generate salt value

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FileZilla Server 1.4.1: Adding users programmatically

#14 Post by botg » 2024-03-14 09:29

$salt = bin2hex(random_bytes(22));
$salt = substr($salt, 0, 43);
The salt should have 256 bits of entropy. You are only using using 172 bits of entropy.

adesh7
504 Command not implemented
Posts: 6
Joined: 2024-03-07 10:50
First name: Adesh
Last name: R

Re: FileZilla Server 1.4.1: Adding users programmatically

#15 Post by adesh7 » 2024-03-14 09:44

How can I achieve that can you explian

Post Reply