FileZilla Server 1.4.1: Adding users programmatically
Moderator: Project members
Re: FileZilla Server 1.4.1: Adding users programmatically
Easy, you start by generating 256 bits of entropy and then you simply don't throw away any of it.
Re: FileZilla Server 1.4.1: Adding users programmatically
Currently generating salt using
$salt = bin2hex(random_bytes(32));
User.xml contains
<password index="1"><hash>RRiZffIC6W1c5dDPJd3BxeXdyZKRLlYsF1E5eWKVm5M</hash>
<salt>47969058ae42201e51e2cd5aaff86d4da3eef71726e389ea10d1e483669704e8</salt>
<iterations>100000</iterations>
</password>
<methods>1</methods>
But now getting below error while trying to start server
C:\Users\Yash>E:\Ampps\ftp\filezilla-server.exe --config-dir=E:\Ampps\ftp\conf
2024-03-14T13:03:45.454Z !! Error in filezilla.user.password.salt: Invalid argument
$salt = bin2hex(random_bytes(32));
User.xml contains
<password index="1"><hash>RRiZffIC6W1c5dDPJd3BxeXdyZKRLlYsF1E5eWKVm5M</hash>
<salt>47969058ae42201e51e2cd5aaff86d4da3eef71726e389ea10d1e483669704e8</salt>
<iterations>100000</iterations>
</password>
<methods>1</methods>
But now getting below error while trying to start server
C:\Users\Yash>E:\Ampps\ftp\filezilla-server.exe --config-dir=E:\Ampps\ftp\conf
2024-03-14T13:03:45.454Z !! Error in filezilla.user.password.salt: Invalid argument
Re: FileZilla Server 1.4.1: Adding users programmatically
Doesn't the salt have to be base64-encoded?
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
Re: FileZilla Server 1.4.1: Adding users programmatically
Both the hash and the salt must be encoded in base64, without padding.
The salt must be exactly 32 bytes long.
The salt must be exactly 32 bytes long.
Re: FileZilla Server 1.4.1: Adding users programmatically
Why the without padding requirement? Isn't the padding just discarded if present?
In addition to being 32 bytes long, the salt also needs to be completely and absolutely random. So exactly 4 if you know the xkcd
In addition to being 32 bytes long, the salt also needs to be completely and absolutely random. So exactly 4 if you know the xkcd
Re: FileZilla Server 1.4.1: Adding users programmatically
@botg You're right, the padding is ignored when decoding. My bad.
So, to sum it up: base64 encoded hash, with a very random salt, that too encoded in base64 in the xml file (not when fed to the pbkdf2 function).
This sequence in Python3 produces the correct data:
And this is in php:
So, to sum it up: base64 encoded hash, with a very random salt, that too encoded in base64 in the xml file (not when fed to the pbkdf2 function).
This sequence in Python3 produces the correct data:
Code: Select all
$ python3
Python 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> import secrets
>>> import base64
>>> salt = secrets.token_bytes(32)
>>> hash = hashlib.pbkdf2_hmac('sha256', b'mypassword', salt, 100000)
>>> base64.b64encode(salt)
b'mWwXLTAyBX1O6e6oC2QIR14CWsu9bsR/L6kMHKojTeY='
>>> base64.b64encode(hash)
b'tWMctKqsuXStcILqxpI6il/toVpA0LinwCftQy+ZUYc='
Code: Select all
$ php -a
Interactive shell
php > $salt = openssl_random_pseudo_bytes(32);
php > $hash = hash_pbkdf2('sha256', 'mypassword', $salt, 100000, 0, true);
php > echo base64_encode($salt);
C/QV8ZNr/CAcobdpjLovlGBgIOQvdg64VByZkF0XVjw=
php > echo base64_encode($hash);
FRpKNCwqElqaLugdhu4Umvt3eDFElccumCRZ/2/ORjE=
php >
Re: FileZilla Server 1.4.1: Adding users programmatically
@oibaf Thanks for this code snippet
iam able to successfully create user using php code and login with that user.
Really appreciated.
thanks Alot!
iam able to successfully create user using php code and login with that user.
Really appreciated.
thanks Alot!