Page 2 of 2
Re: FileZilla Server 1.4.1: Adding users programmatically
Posted: 2024-03-14 10:15
by botg
Easy, you start by generating 256 bits of entropy and then you simply don't throw away any of it.
Re: FileZilla Server 1.4.1: Adding users programmatically
Posted: 2024-03-14 13:22
by adesh7
Currently generating salt using
$salt = bin2hex(random_bytes(32));
User.xml contains
<password index="1"><hash>RRiZffIC6W1c5dDPJd3BxeXdyZKRLlYsF1E5eWKVm5M</hash>
<salt>47969058ae42201e51e2cd5aaff86d4da3eef71726e389ea10d1e483669704e8</salt>
<iterations>100000</iterations>
</password>
<methods>1</methods>
But now getting below error while trying to start server
C:\Users\Yash>E:\Ampps\ftp\filezilla-server.exe --config-dir=E:\Ampps\ftp\conf
2024-03-14T13:03:45.454Z !! Error in filezilla.user.password.salt: Invalid argument
Re: FileZilla Server 1.4.1: Adding users programmatically
Posted: 2024-03-14 13:30
by boco
Doesn't the salt have to be base64-encoded?
Re: FileZilla Server 1.4.1: Adding users programmatically
Posted: 2024-03-14 17:26
by oibaf
Both the hash and the salt must be encoded in base64, without padding.
The salt must be exactly 32 bytes long.
Re: FileZilla Server 1.4.1: Adding users programmatically
Posted: 2024-03-14 21:50
by botg
Why the without padding requirement? Isn't the padding just discarded if present?
In addition to being 32 bytes long, the salt also needs to be completely and absolutely random. So exactly 4 if you know the xkcd
Re: FileZilla Server 1.4.1: Adding users programmatically
Posted: 2024-03-15 08:11
by oibaf
@botg You're right, the padding is ignored when decoding. My bad.
So, to sum it up: base64 encoded hash, with a very random salt, that too encoded in base64 in the xml file (not when fed to the pbkdf2 function).
This sequence in Python3 produces the correct data:
Code: Select all
$ python3
Python 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> import secrets
>>> import base64
>>> salt = secrets.token_bytes(32)
>>> hash = hashlib.pbkdf2_hmac('sha256', b'mypassword', salt, 100000)
>>> base64.b64encode(salt)
b'mWwXLTAyBX1O6e6oC2QIR14CWsu9bsR/L6kMHKojTeY='
>>> base64.b64encode(hash)
b'tWMctKqsuXStcILqxpI6il/toVpA0LinwCftQy+ZUYc='
And this is in php:
Code: Select all
$ php -a
Interactive shell
php > $salt = openssl_random_pseudo_bytes(32);
php > $hash = hash_pbkdf2('sha256', 'mypassword', $salt, 100000, 0, true);
php > echo base64_encode($salt);
C/QV8ZNr/CAcobdpjLovlGBgIOQvdg64VByZkF0XVjw=
php > echo base64_encode($hash);
FRpKNCwqElqaLugdhu4Umvt3eDFElccumCRZ/2/ORjE=
php >
Re: FileZilla Server 1.4.1: Adding users programmatically
Posted: 2024-03-18 10:09
by adesh7
@oibaf Thanks for this code snippet
iam able to successfully create user using php code and login with that user.
Really appreciated.
thanks Alot!