10

I am setting up an server with vsftpd to let virtual users access their space. Now it is fully working but only with CRYPT passwords. So

sudo htpasswd -c /etc/vsftpd/ftpd.passwd phpmyadmin

will not allow me to log in, but

sudo htpasswd -c -d /etc/vsftpd/ftpd.passwd phpmyadmin

will.

/etc/vsftpd.conf

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
nopriv_user=vsftpd
virtual_use_local_privs=YES
guest_enable=YES
user_sub_token=$USER
local_root=/var/www/vhosts/$USER.universe.local
chroot_local_user=YES
hide_ids=YES
guest_username=vsftpd

/etc/pam.d/vsftpd

auth required pam_pwdfile.so pwdfile /etc/vsftpd/ftpd.passwd crypt=2
account required pam_permit.so crypt=2

I installed apache2.4.3 from source as well as PHP.

Things I've tried:

  • Google a lot
  • Set crypt=2
  • ask friends
  • use SHA (doesn't work either)
  • update htpasswd and vsftpd

I have been struggeling with this for a week now, I hope u guys can help me further

Castaglia
  • 3,239
  • 3
  • 19
  • 40
Marco
  • 287
  • 1
  • 2
  • 12

3 Answers3

14

htpasswd generates MD5 hashes in the Apache format, which you can verify by seeing that they start with $apr1$, but PAM only supports formats that your platform's implementation of crypt(3) implements. For Glibc, the equivalent (MD5-based) would be $1$. You just need to generate the passwords with a different tool. Here's an example:

sh$ openssl passwd -1
Password: 
Verifying - Password: 
$1$vhzHvIYn$2Ro.R0WdLnxrWjHcs5RbA/

You can copy this hash into your ftpd.passwd file in the username:hash format, and it should work.

bonsaiviking
  • 4,355
  • 16
  • 26
  • Thank you so much for helping me with this! It worked! can i make pam support apache's md5 version? – Marco Nov 20 '12 at 00:20
  • Looking at the pam_pwdfile code, it looks like you'd have to write the support in and recompile. It even contains an entire implementation of the `$1$` MD5 password hash, all the way down to the MD5 primitive, so it's not fully `crypt`-aware. – bonsaiviking Nov 20 '12 at 03:35
6

Expanding on @bonsaiviking's answer you can generate the openssl md5 password and add it to the ftpd.passwd file in one line using htpasswd's batch mode -b, and plaintext -p options as follows:

htpasswd -c -p -b ftpd.passwd *username* $(openssl passwd -1 -noverify *password*)

The example above (Ubuntu) also creates a new ftpd.passwd file if it doesn't exist using -c

jnolan517
  • 61
  • 1
  • 2
  • htpasswd outputs: "Warning: storing passwords as plain text might just not work on this platform." I guess that's because it *thinks* that it's indeed a plan text one but in fact it's the hash generated by the openssl. Using this approach to generate passwords worked with vsftp. – Svetoslav Marinov Apr 05 '15 at 19:45
  • Right, htpasswd may generate that warning b/c your passing the MD5 hash as a plain text string. – jnolan517 Apr 06 '15 at 20:34
  • Made script to do this based on this - grab here https://gist.github.com/bmatthewshea/53ed5148f09dfed50cebd10650ca551b – B. Shea Jul 05 '16 at 14:04
1

The two commands that you show are equivalent because the -d option tells htpasswd to use crypt which is the default for most operating systems.

If you want passwords hashed with md5 then you should use -m

sudo htpasswd -m /etc/vsftpd/vsftpd.passwd test
New password:
Re-type new password:
Adding password for user test
grep test /etc/vsftpd/vsftpd.passwd
test:$apr1$GTYtpKS1$Jyfgu42kDspxdJTPPzSOY.

Which shows that test's password has been encrypted using md5.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • He must be using a different version of htpasswd, since he gets different results with and without `-d`. – bonsaiviking Nov 19 '12 at 20:59
  • As mentioned this DOES NOT work with vsftp - it generates apache style md5's. per above ^ http://serverfault.com/a/450220/92023 – B. Shea Jul 05 '16 at 13:59