Menu
▾
▴
Re: [Proftpd-user] Migration encrypted passwords from to SHA-512 based crypt() with mod_sql?
|
From: TJ S. <tj...@ca...> - 2012-06-29 16:05:55
|
> I'd like to migrate a password database that's currently accessed with > mod_sql from a weak hash algorithm to SHA-512 based crypt(). > > As proftpd receives the current password on every login in plaintext, a silent > migration should be possible for at least the 90% of active users in relatively > short time. > > Problem is that I don't quite know where I can find a hook for the UPDATE > query as the session structure does not save it for obvious reasons and it > is thus not available for SQLLog. > > My best idea so far (due to little C knowledge) was to patch > sql_auth_crypt() to the write username and the re-encrypted password to > a named pipe file where a little perl script listens to request and > updates the database. > > Any better ideas? The mod_sql_passwd module can be used to help with this: http://www.proftpd.org/docs/contrib/mod_sql_passwd.html With this module enabled in your proftpd, you can then configure mod_sql to try an SHA512 auth type first, then fall back to its current auth type, e.g.: <IfModule mod_sql.c> ... SQLAuthTypes SHA512 Backend Crypt </IfModule> When authenticating users, the mod_sql module will try each of the configured "auth types" in order. That way, you can migrate some of your users as you go, and it should "just work" for both migrated and unmigrated users. Hope this helps, TJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Axioms in philosophy are not axioms until they are proved upon our pulses: we read fine things but never feel them to the full until we have gone the same steps as the author. John Keats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
