Salted passwords in proftpd

I just setup proftpd for chrooted virtualusers authing off of mysql for password/ssh keys.

The trick, if you want to use salted passwords, is to ignore the openssl sqlauthtype.

Nothing I tried would use salted passwords with that. Instead, I told it to do the following:

SQLPasswordEncoding base64
SQLPasswordEngine on
SQLAuthenticate users groups groupsetfast
SQLAuthTypes SHA1
SQLNamedQuery get-user-salt SELECT "userid FROM users WHERE userid = '%{0}'"
SQLPasswordUserSalt sql:/get-user-salt append

You can generate an example of this salted password by appending the username to the password and generating a sha1 base64 string and using that in the DB.

/bin/echo /bin/echo -n "passwordusername" | openssl dgst -binary -sha1 | openssl enc -base64

Note that using the username as the salt is pretty lame. You might want to do something else in a production system.

Leave a Reply