Jump to content
Froxlor Forum
  • 0
Meth0d

Password hasing problems

Question

When i use SHA 512 Passwords in froxlor they (sometimes) don't seem to be written correctly into the froxlor DB, they appear to be "cut off".

Example: i set an FTP-Account for my user "test" to "Password0815!" with SHA 512 selected and it results in "$6$79lV@Ef", that is obviously way to short.

 

Further testing shows that this is unrelated to SHA512 any encryption setting will do this it just appears to happen more often with SHA 512.

"sometimes" the full hash appears in my froxlor DB, and then (just updating an FTP user password with the SAME password again) the hash is cut off and hence the user cant login. I can do that 6 times and at least 2 times the hash is cut-off.

 

I am not quite sure how i can investigate this further, any hints are appreciated. 

System is deb 7 with nginx + php-fpm

 

 

Share this post


Link to post
Share on other sites

2 answers to this question

Recommended Posts

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Similar Content

    • By martinr
      Hallo,
       
      habe vor Kurzem Froxlor auf einem Debian 8 mit PHP7 installiert. Soweit so gut, bis auf Let's Encrypt läuft auch alles (habe gesehen, dass es hier viele Threads zu gibt, aber noch keine Zeit gehabt, dem nachzugehen).
       
      Nun ist es geschehen, dass ich mich auf einmal nicht mehr einloggen kann (mit meinem Admin).
       
      Habe 2 Mal das Passwort zurückgesetzt (Link via Mail), nichts. Schaue ich in den Code und folgendes passiert: (in validatePasswordLogin)
      $pwd_check = crypt($password, $pwd_salt); Liefert immer "*0" (ohne Anführungszeichen). Habe $pwd_salt ausgelesen und lokal crypt damit ausgeführt, bei jedem Passwort kriege ich dieses Ergebnis.
       
      $pwd_salt hat den Wert "$2y$07$".
       
      Als Verschlüsselungsmethode ist BLOWFISH gewählt und password_verify mit dem in der Datenbank gespeicherten Wert liefert auch das gewünschte Ergebnis
    • By senya
      I've installed Froxlor on Debian 8 and followed all of the instructions in the configuration section of the management panel
      I've created a new customer and create a domain under them
      I've logged in as the customer and created a new email address and made it an account
      I've installed afterlogic webmail in the domain's document root
      Afterlogic (webmail) gives the error "incorrect username or password" when I try to log in
       
      I've tried adding the account in an email client (mail on windows 10), same error
      My DNS and MX settings are correct
       
      It seems like the mail account is just not there, even though it's set up in froxlor
       
      The username and password have been created in MySQL database "froxlor" in table "mail_users"
       
      I don't know what to do next, or even what question to ask
      Any suggestions on how I should proceed with troubleshooting
    • By Thomas_B
      Hi,
       
      I want to give my customers the possibility to change their EMail passwords on their own (EMail Users do not have a froxlor account). 
      The credentials are stored in "mail_users " but I have problems identifying the encryption method.
       
      The format as I understand it is.
      $1$SALT$MD5HASH
       
      I tried
      "Salt"+"Password" and "Password"+"Salt" but I get different Hashs than those in the Database.
    • By oedwards0088
      Hi,
       
      I was unable to find much help with this and with a little and nervous trial and error the below will change a lost Admin password to 'Password!'
       
      - mysql -u root -p
       - Enter in the root SQL password
       
      - USE froxlor
      - show tables;
       
      make sure you can see panels_admin
       
      - describe panel_admins;  (This is not necessary but will show you the table layout)
      - select loginname from panel_admins; (This is not necessary but will list the admin usernames, Admin is default)
      - select * from panel_admins; (This is not necessary but will show you all data from the panel_admins table)
       
      To change the Admin username enter the below on one line;
       
      UPDATE 'panel_admins' SET 'password' = '0040f2abc2cff0c8f59883b99ae9fab6' WHERE 'panel_admins'.'loginname' = 'Admin';
       
      This will set the password to 'Password!' for the admin username.
       
      Hope this helps someone....
    • By RudolfFiedler
      Hallo zusammen,
      ich hoffe, ich bin hier richtig.
      Ich setze auf meinem Server aktuell froxlor 0.9.31 ein.
      Jetzt brauche ich f?r einen Kunden laufend neue ftp-zug?ng, und muss die ?ber ein php-script m?glichst automatisiert neu erstellen, ?ndern und l?schen k?nnen.
      Ich m?chte diese User nat?rlich am liebsten ?ber froxlor laufen lassen, nicht direkt im Linux z.B. ?ber adduser usw...
       
      die ftp_users - Tabelle ansich ist ja relativ einfach aufgebaut, mein (derzeit) einziges Problem ist die Generierung des Passwortes.
      Ich habe (noch) nicht verstanden, wie Froxlor, bzw. ftp die Pr?fung macht, da f?r ein und das selbe Passwort immer ein anderes verkryptetes Passwort raus kommt.
       
      Ich br?uchte ein php-Tool (Klasse, Funktionssammlung), mit der ich die o. g. Aufgabenstellungen erledigen kann.
      Darf nat?rlich auch was kosten...
      Infos bitte per PN, vielen Dank.
       
      Rudi
       




×
×
  • Create New...