FileZilla Server 1.4.1: Adding users programmatically

[botg]

Easy, you start by generating 256 bits of entropy and then you simply don't throw away any of it.

[adesh7]

Currently generating salt using

$salt = bin2hex(random_bytes(32));

User.xml contains
<password index="1"><hash>RRiZffIC6W1c5dDPJd3BxeXdyZKRLlYsF1E5eWKVm5M</hash>
<salt>47969058ae42201e51e2cd5aaff86d4da3eef71726e389ea10d1e483669704e8</salt>
<iterations>100000</iterations>
</password>
<methods>1</methods>

But now getting below error while trying to start server
C:\Users\Yash>E:\Ampps\ftp\filezilla-server.exe --config-dir=E:\Ampps\ftp\conf
2024-03-14T13:03:45.454Z !! Error in filezilla.user.password.salt: Invalid argument

[boco]

Doesn't the salt have to be base64-encoded?

[oibaf]

Both the hash and the salt must be encoded in base64, without padding.
The salt must be exactly 32 bytes long.

[botg]

Why the without padding requirement? Isn't the padding just discarded if present?


In addition to being 32 bytes long, the salt also needs to be completely and absolutely random. So exactly 4 if you know the xkcd

[oibaf]

@botg You're right, the padding is ignored when decoding. My bad.

So, to sum it up: base64 encoded hash, with a very random salt, that too encoded in base64 in the xml file (not when fed to the pbkdf2 function).

This sequence in Python3 produces the correct data:

Code: Select all

$ python3
Python 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> import secrets
>>> import base64
>>> salt = secrets.token_bytes(32)
>>> hash = hashlib.pbkdf2_hmac('sha256', b'mypassword', salt, 100000)
>>> base64.b64encode(salt)
b'mWwXLTAyBX1O6e6oC2QIR14CWsu9bsR/L6kMHKojTeY='
>>> base64.b64encode(hash)
b'tWMctKqsuXStcILqxpI6il/toVpA0LinwCftQy+ZUYc='

And this is in php:

Code: Select all

$ php -a
Interactive shell

php > $salt = openssl_random_pseudo_bytes(32);
php > $hash = hash_pbkdf2('sha256', 'mypassword', $salt, 100000, 0, true);
php > echo base64_encode($salt);
C/QV8ZNr/CAcobdpjLovlGBgIOQvdg64VByZkF0XVjw=
php > echo base64_encode($hash);
FRpKNCwqElqaLugdhu4Umvt3eDFElccumCRZ/2/ORjE=
php >

[adesh7]

@oibaf Thanks for this code snippet

iam able to successfully create user using php code and login with that user.

Really appreciated.

thanks Alot!