headers
Christian Hammers | 29 Jun 2012 16:16
Picon
Favicon

[Proftpd-user] Migration encrypted passwords from to SHA-512 based crypt() with mod_sql?

Hello

I'd like to migrate a password database that's currently accessed with mod_sql
from a weak hash algorithm to SHA-512 based crypt().

As proftpd receives the current password on every login in plaintext, a silent
migration should be possible for at least the 90% of active users in relatively
short time.

Problem is that I don't quite know where I can find a hook for the UPDATE 
query as the session structure does not save it for obvious reasons and it
is thus not available for SQLLog.

My best idea so far (due to little C knowledge) was to patch sql_auth_crypt()
to the write username and the re-encrypted password to a named pipe file 
where a little perl script listens to request and updates the database.

Any better ideas?

bye,

-christian-

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
(Continue reading)

Permalink | Reply |
headers
TJ Saunders | 29 Jun 2012 18:05

Re: [Proftpd-user] Migration encrypted passwords from to SHA-512 based crypt() with mod_sql?


> I'd like to migrate a password database that's currently accessed with 
> mod_sql from a weak hash algorithm to SHA-512 based crypt().
> 
> As proftpd receives the current password on every login in plaintext, a silent
> migration should be possible for at least the 90% of active users in relatively
> short time.
> 
> Problem is that I don't quite know where I can find a hook for the UPDATE 
> query as the session structure does not save it for obvious reasons and it
> is thus not available for SQLLog.
> 
> My best idea so far (due to little C knowledge) was to patch 
> sql_auth_crypt() to the write username and the re-encrypted password to 
> a named pipe file where a little perl script listens to request and 
> updates the database.
> 
> Any better ideas?

The mod_sql_passwd module can be used to help with this:

  http://www.proftpd.org/docs/contrib/mod_sql_passwd.html

With this module enabled in your proftpd, you can then configure mod_sql 
to try an SHA512 auth type first, then fall back to its current auth type, 
e.g.:

  <IfModule mod_sql.c>
    ...
(Continue reading)

Permalink | Reply |
headers
Christian Hammers | 29 Jun 2012 18:33
Picon
Favicon

Re: [Proftpd-user] Migration encrypted passwords from to SHA-512 based crypt() with mod_sql?

Hello

On Fri, 29 Jun 2012 09:05:44 -0700 (PDT)
TJ Saunders <tj <at> castaglia.org> wrote:

> 
> > I'd like to migrate a password database that's currently accessed with 
> > mod_sql from a weak hash algorithm to SHA-512 based crypt().
> > 
> > As proftpd receives the current password on every login in plaintext, a silent
> > migration should be possible for at least the 90% of active users in relatively
> > short time.
> > 
> > Problem is that I don't quite know where I can find a hook for the UPDATE 
> > query as the session structure does not save it for obvious reasons and it
> > is thus not available for SQLLog.
> > 
> > My best idea so far (due to little C knowledge) was to patch 
> > sql_auth_crypt() to the write username and the re-encrypted password to 
> > a named pipe file where a little perl script listens to request and 
> > updates the database.
> > 
> > Any better ideas?
> 
> The mod_sql_passwd module can be used to help with this:
> 
>   http://www.proftpd.org/docs/contrib/mod_sql_passwd.html
> 
> With this module enabled in your proftpd, you can then configure mod_sql 
> to try an SHA512 auth type first, then fall back to its current auth type,
(Continue reading)

Permalink | Reply |
headers
TJ Saunders | 29 Jun 2012 18:39

Re: [Proftpd-user] Migration encrypted passwords from to SHA-512 based crypt() with mod_sql?


> That's not the problem: the SQLAuthType Crypt already understands SHA-512
> based passwords (starting with "$6$") as well as DES, MD5 and SHA-256 based
> ones.

Ah.  That sounds like your platform's crypt(3) support -- not everyone's 
SQLAuthType Crypt will support that.  (Just pointing this out for the 
benefits of others on the list.)

> My problem is that I want to *overwrite* them in my database with e.g.:
>  UPDATE ftpusers SET password = $sha512hash WHERE username = $user;

Why would you want to do the above within proftpd itself?  It sounds like 
you can simply write a SQL script, and run it against your database, 
without needing to change anything with your proftpd configuration.

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   We shall not cease from exploration
   And the end of all our exploring
   Will be to arrive where we started
   And know the place for the first time.

     -T.S. Eliot

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

------------------------------------------------------------------------------
(Continue reading)

Permalink | Reply |
headers
Christian Hammers | 30 Jun 2012 13:41
Picon
Favicon

Re: [Proftpd-user] Migration encrypted passwords from to SHA-512 based crypt() with mod_sql?

Am Fri, 29 Jun 2012 09:39:10 -0700 (PDT)
schrieb TJ Saunders <tj <at> castaglia.org>:

> 
> > That's not the problem: the SQLAuthType Crypt already understands
> > SHA-512 based passwords (starting with "$6$") as well as DES, MD5
> > and SHA-256 based ones.
> 
> Ah.  That sounds like your platform's crypt(3) support -- not
> everyone's SQLAuthType Crypt will support that.  (Just pointing this
> out for the benefits of others on the list.)
> 
> > My problem is that I want to *overwrite* them in my database with
> > e.g.: UPDATE ftpusers SET password = $sha512hash WHERE username =
> > $user;
> 
> Why would you want to do the above within proftpd itself?  It sounds
> like you can simply write a SQL script, and run it against your
> database, without needing to change anything with your proftpd
> configuration.

I only have password hashes in the database, to re-encrypt them
with a different algorithm I need the cleartext password.
Thus, either all users would have to re-enter it on a website or
I tap them when they log in.

bye,

-christian-
(Continue reading)

Permalink | Reply |
headers
TJ Saunders | 13 Jul 2012 02:06

Re: [Proftpd-user] Migration encrypted passwords from to SHA-512 based crypt() with mod_sql?


> I only have password hashes in the database, to re-encrypt them with a 
> different algorithm I need the cleartext password. Thus, either all 
> users would have to re-enter it on a website or I tap them when they log 
> in.

Hmm.  I see the problem.

The proftpd modules I've written go out of their way to ensure that they 
never log the password, they avoid handling the password whenever 
possible, and if they do handle the password, it's for as little time as 
possible.

This means that for your particular use case, there is no existing proftpd 
module which would help.  Such a module would need to be developed.

Are there others out there who would also benefit from such a module, i.e. 
one that could possibly interact with mod_sql_passwd in order to help 
migrate password hashing schemes in SQL tables?  If so, I'd be willing to 
work on such a thing...

TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   Everywhere one seeks to produce meaning, to make the world
   signify, to render it visible.  We are not, however, in danger
   of lacking meaning; quite the contrary, we are gorged with
   meaning and it is killing us.
(Continue reading)

Permalink | Reply |
headers
Christian Hammers | 13 Jul 2012 10:47
Picon
Favicon

Re: [Proftpd-user] Migration encrypted passwords from to SHA-512 based crypt() with mod_sql?

On Thu, 12 Jul 2012 17:06:49 -0700 (PDT)
TJ Saunders <tj <at> castaglia.org> wrote:

> 
> > I only have password hashes in the database, to re-encrypt them with a 
> > different algorithm I need the cleartext password. Thus, either all 
> > users would have to re-enter it on a website or I tap them when they log 
> > in.
> 
> Hmm.  I see the problem.
> 
> The proftpd modules I've written go out of their way to ensure that they 
> never log the password, they avoid handling the password whenever 
> possible, and if they do handle the password, it's for as little time as 
> possible.
> 
> This means that for your particular use case, there is no existing proftpd 
> module which would help.  Such a module would need to be developed.
> 
> Are there others out there who would also benefit from such a module, i.e. 
> one that could possibly interact with mod_sql_passwd in order to help 
> migrate password hashing schemes in SQL tables?  If so, I'd be willing to 
> work on such a thing...

With "others" you mean other modules? I've seen crypt(3) passwords in flat
text files, .bdb files and LDAP databases so not only in SQL although the
update process would be more easy here.

As the proftpd backend has maybe only a readonly user configured, a general
approach could be to call an external shell script from mod_auth.c and pass
(Continue reading)

Permalink | Reply |
headers
TJ Saunders | 13 Jul 2012 18:27

Re: [Proftpd-user] Migration encrypted passwords from to SHA-512 based crypt() with mod_sql?


> With "others" you mean other modules?

Sorry -- by "others" I was asking whether there are other proftpd admins, 
lurking on this list, who might also have the same need (i.e. to change 
from one SQL password storage format to another format).

> As the proftpd backend has maybe only a readonly user configured, a general
> approach could be to call an external shell script from mod_auth.c and pass
> username and password on stdin. That would be flexible at least.

Harder to do properly, though.  Part of the authentication process 
involves the chroot step; once a process has been chrooted, that external 
shell script will probably not be accessible.  (This issue crops up for 
people using the mod_exec module.)

> One SQL centric idea I had was to add another AuthType in mod_sql.c.
> With "backend" in mod_sql_mysql.c's cmd_checkauth() there already is a 
> function that has the plaintext password as well a working database connection
> so it could be a base for an AuthType "migrate". As all AuthTypes are tried
> until one succeedes, it could be added in front of "Crypt" in the config.
> (My C is just slightly too bad to do it myself)

Any module which wanted to migrate the password stored in a SQL table 
would need to know the new format, and how to convert the given plaintext 
password into the new format.  And it's possible that some sites would 
want different formats for different subsets of users/accounts.  That's 
why I'm envisioning a mod_sql-related module which would be devoted solely 
to handle the password migration issue -- but only if such a module would 
be useful/needed by enough proftpd users out there to warrant the
(Continue reading)

Permalink | Reply |
headers
Christian Hammers | 29 Aug 2012 17:52
Picon
Favicon

Re: [Proftpd-user] Migration encrypted passwords from to SHA-512 based crypt() with mod_sql?

On Fri, 13 Jul 2012 09:27:27 -0700 (PDT)
TJ Saunders <tj <at> castaglia.org> wrote:

...
> > One SQL centric idea I had was to add another AuthType in mod_sql.c.
> > With "backend" in mod_sql_mysql.c's cmd_checkauth() there already is a 
> > function that has the plaintext password as well a working database connection
> > so it could be a base for an AuthType "migrate". As all AuthTypes are tried
> > until one succeedes, it could be added in front of "Crypt" in the config.
> > (My C is just slightly too bad to do it myself)
> 
> Any module which wanted to migrate the password stored in a SQL table 
> would need to know the new format, and how to convert the given plaintext 
> password into the new format.  And it's possible that some sites would 
> want different formats for different subsets of users/accounts.  That's 
> why I'm envisioning a mod_sql-related module which would be devoted solely 
> to handle the password migration issue -- but only if such a module would 
> be useful/needed by enough proftpd users out there to warrant the 
> development time.

Just in case anybody else is having the same desire, the way I solved it
was to use a local RADIUS server that gets queries for every authentication
but whose answer is then ignored (note the "*" after mod_sql.c!):

	AuthOrder                       mod_radius.c mod_sql.c*
	RadiusEngine On
	RadiusAuthServer localhost:1812 xxx 1

Using Radiator or Perl's RADIUS::Packet you one can then easily write
something that extracts username and plaintext passwords to update
(Continue reading)

Permalink | Reply |

Gmane