FileZilla Forums

Hi,
I'm trying to find a way to add users to users.xml, although is quite simple create a User node, i've some problem creating HASH for the password.
I know there are many topic about this argument, but they seem to refer to the older versione of filezilla (0.9.x)

in filezilla server 1.4.1 creating a new user with the GUI, reading Users.XML, i can find somwthing like that:

...
<password index="1">
<hash>17zJM5wwWu99f/EiOGg5gdy9xA+1Os+2UolVPJ8lPIs</hash>
<salt>UNu88mu6vV0AiNptC/6SHbz/hD6GvUo4GtRg706E3gs</salt>
<iterations>100000</iterations>
</password>
...

I understand salt is a ramdom string, but how retrieve hash value?

In some topics in this forum I can find out tha the way is like:
password = "12345";
salt = "somelongstring6172617261";
result = SHA512(password + salt);

but both hash and salt seem to have a lenght of 64 char while in my users.xml file they are 43.

I've also tryed whith filezilla-server-crypt.exe, but since version 1.3 stdin seem to be involved.

Anyone have some suggestion?

Best regards
Gianluca Pinoli

filezilla-server-crypt has been changed so to get the password to hash from the standard input, for security reasons. Just follow what's written at the following link, but instead of passing the password as a parameter feed it in through stdin: viewtopic.php?f=6&t=54267&p=178461&hili ... pt#p178461

Is this the only way?
I'm trying to achievi it as a service, but I think this will not be possible...

Regards
Gianluca

The password is hashed using pbkdf2 with hmac_sha256, then base64-encoded without padding, together with the random salt. Any tool able to do that is good for the occasion.

Thank you very much.
It works for me.

Regards
Gianluca

Can you share how you got this working?

We're trying to automatically generate hashed passwords with a salt for version 1.5.1 of Filezilla Server.

Thanks

I also got the same problem. Try to use python to generate hash, however i'm getting hex not the hash like what I saw like below:
How can I get the 43 length of string based on the hash returned from pbkdf2_hmac?

Did you base64-encode your result? See three posts above yours.

Hi,

I am facing issue with version 1.8.1

I want to create user programmatically using php

my code is:
$iterations = 100000;
$salt = "GjnbiA3xutwGIfvD8jL9/d12c7JAm6x0sN/57b97iz0";
$hashedPassword = hash_pbkdf2("sha256", $password, hex2bin($salt), $iterations, 0, true);
$hashed_password = rtrim(base64_encode($hashedPassword), '=');

still password hash created with above code not accepted.

tried with random salt also.


Can anyone help with this please.

You must use random salt, do not use static salt.

Hi,

Thanks for the reply.

I tried random salt too. Still not able to log in using that user.

I also tried with salt generated by the Filezilla server with the same password, but hashed passwords are different from mine and the Filezilla server with the same password string and salt

In your provided example, what is the salt being used?

This salt is used for checking hashed password matches or not

This salt is generated by filezilla server while adding user using admin interface

$salt = bin2hex(random_bytes(22));
$salt = substr($salt, 0, 43);

Before that i am using above code to generate salt value

$salt = bin2hex(random_bytes(22));
$salt = substr($salt, 0, 43);

The salt should have 256 bits of entropy. You are only using using 172 bits of entropy.

How can I achieve that can you explian