FileZilla 1.6.7 : How to programatically create user using php

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
sujay k
500 Command not understood
Posts: 2
Joined: 2023-04-27 20:46
First name: Sujay
Last name: k

FileZilla 1.6.7 : How to programatically create user using php

#1 Post by sujay k » 2023-04-27 21:25

We have recently upgraded our FileZilla server to 1.6.7 and and our existing PHP code to create new FileZilla user using our PHP scripts needs modifications as we can no longer create a user by using MD5 on a given password. We need advice on how to create a user as we are struck at proper salt & hash generation which will allow the newly created user to login.

From the inputs I have gathered the from this forum I got learn that FileZilla password is hashed using pbkdf2 with hmac_sha256, then base64-encoded without padding, together with the random salt.

PHP Code:
$password = 'user_password';
$salt = base64_encode(random_bytes(32));
$algorithm = 'sha256';
$utf8EncodedPassword = utf8_encode($password);
$hashedPassword = hash_pbkdf2(
$algorithm,
$utf8EncodedPassword,
$salt,
10000,
32,
false
);

$hashedPassword=base64_encode($hashedPassword);

The result $hashedPassword and $Salt and both are about 43-44(if padded using =) characters long

When the updated users.xml is reloaded using "sc control filezilla-server paramchange" it reloads successfully however one cannot login to FTP.

Can someone please guide us to fix this problem as we suspect it's a problem with the method we have used to generate hash and salt may not be the right way.
Top
User avatar
oibaf
Contributor
Posts: 405
Joined: 2021-07-16 21:02
First name: Fabio
Last name: Alemagna

Re: FileZilla 1.6.7 : How to programatically create user using php

#2 Post by oibaf » 2023-04-28 06:47

The salt must be passed in binary form to the hash_pbkdf2 function, and the output of hash_pbkdf2 must be binary.

Both the hash and the salt must then be converted in base64 and saved to the xml file.
Top
sujay k
500 Command not understood
Posts: 2
Joined: 2023-04-27 20:46
First name: Sujay
Last name: k

Re: FileZilla 1.6.7 : How to programatically create user using php

#3 Post by sujay k » 2023-04-28 10:27

Here's the uploaded code and it does'nt does'nt seem to like the password. Please advise.

Code: Select all

function strigToBinary($string)
{
    $characters = str_split($string);
 
    $binary = [];
    foreach ($characters as $character) {
        $data = unpack('H*', $character);
        $binary[] = base_convert($data[1], 16, 2);
    }
 
    return implode(' ', $binary);    
}

$password = 'user_password';
$salt = random_bytes(32);
$binarysalt=strigToBinary($salt);
$algorithm = 'sha256';
$utf8EncodedPassword = utf8_encode($password);
$hashedPassword = hash_pbkdf2(
    $algorithm,
    $utf8EncodedPassword,
    $binarysalt,
    10000,
    32,
    true
);


echo "\n hash:".base64_encode($hashedPassword)."\nsalt:".base64_encode( $salt);
Top
User avatar
oibaf
Contributor
Posts: 405
Joined: 2021-07-16 21:02
First name: Fabio
Last name: Alemagna

Re: FileZilla 1.6.7 : How to programatically create user using php

#4 Post by oibaf » 2023-04-28 11:40

You don't really need the function strigToBinary, random_bytes already produces what you need. Also, iterations must be at least 100000 (one hundred thousand), not 10000 (ten thousand).
Top
Post Reply

Return to “FileZilla Server Support”