We have recently upgraded our FileZilla server to 1.6.7 and and our existing PHP code to create new FileZilla user using our PHP scripts needs modifications as we can no longer create a user by using MD5 on a given password. We need advice on how to create a user as we are struck at proper salt & hash generation which will allow the newly created user to login.
From the inputs I have gathered the from this forum I got learn that FileZilla password is hashed using pbkdf2 with hmac_sha256, then base64-encoded without padding, together with the random salt.
PHP Code:
$password = 'user_password';
$salt = base64_encode(random_bytes(32));
$algorithm = 'sha256';
$utf8EncodedPassword = utf8_encode($password);
$hashedPassword = hash_pbkdf2(
$algorithm,
$utf8EncodedPassword,
$salt,
10000,
32,
false
);
$hashedPassword=base64_encode($hashedPassword);
The result $hashedPassword and $Salt and both are about 43-44(if padded using =) characters long
When the updated users.xml is reloaded using "sc control filezilla-server paramchange" it reloads successfully however one cannot login to FTP.
Can someone please guide us to fix this problem as we suspect it's a problem with the method we have used to generate hash and salt may not be the right way.
FileZilla 1.6.7 : How to programatically create user using php
Moderator: Project members
Re: FileZilla 1.6.7 : How to programatically create user using php
The salt must be passed in binary form to the hash_pbkdf2 function, and the output of hash_pbkdf2 must be binary.
Both the hash and the salt must then be converted in base64 and saved to the xml file.
Both the hash and the salt must then be converted in base64 and saved to the xml file.
Re: FileZilla 1.6.7 : How to programatically create user using php
Here's the uploaded code and it does'nt does'nt seem to like the password. Please advise.
Code: Select all
function strigToBinary($string)
{
$characters = str_split($string);
$binary = [];
foreach ($characters as $character) {
$data = unpack('H*', $character);
$binary[] = base_convert($data[1], 16, 2);
}
return implode(' ', $binary);
}
$password = 'user_password';
$salt = random_bytes(32);
$binarysalt=strigToBinary($salt);
$algorithm = 'sha256';
$utf8EncodedPassword = utf8_encode($password);
$hashedPassword = hash_pbkdf2(
$algorithm,
$utf8EncodedPassword,
$binarysalt,
10000,
32,
true
);
echo "\n hash:".base64_encode($hashedPassword)."\nsalt:".base64_encode( $salt);
Re: FileZilla 1.6.7 : How to programatically create user using php
You don't really need the function strigToBinary, random_bytes already produces what you need. Also, iterations must be at least 100000 (one hundred thousand), not 10000 (ten thousand).