pure-ftpd compatible password hashes for ftp users

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>

install/froxlor.sql.php

@@ -42,7 +42,8 @@ CREATE TABLE `ftp_users` (
   `username` varchar(255) NOT NULL,
   `uid` int(5) NOT NULL default '0',
   `gid` int(5) NOT NULL default '0',
-  `password` varchar(128) NOT NULL,
+  `password` varchar(255) NOT NULL,
+  `password_compat` varchar(255) NOT NULL,
   `homedir` varchar(255) NOT NULL default '',
   `shell` varchar(255) NOT NULL default '/bin/false',
   `login_enabled` enum('N','Y') NOT NULL default 'N',
@@ -65,8 +66,8 @@ CREATE TABLE `mail_users` (
   `id` int(11) NOT NULL auto_increment,
   `email` varchar(255) NOT NULL default '',
   `username` varchar(255) NOT NULL default '',
-  `password` varchar(128) NOT NULL default '',
+  `password` varchar(255) NOT NULL default '',
-  `password_enc` varchar(128) NOT NULL default '',
+  `password_enc` varchar(255) NOT NULL default '',
   `uid` int(11) NOT NULL default '0',
   `gid` int(11) NOT NULL default '0',
   `homedir` varchar(255) NOT NULL default '',

install/updates/froxlor/update_2.x.inc.php

@@ -68,6 +68,14 @@ if (Froxlor::isFroxlorVersion('0.10.38')) {
 	Database::query($sql);
 	// new customer allowed_mysqlserver field
 	Database::query("ALTER TABLE `" . TABLE_PANEL_CUSTOMERS . "` ADD `allowed_mysqlserver` varchar(500) NOT NULL default '[0]';");
+	// ftp_users adjustments
+	Database::query("ALTER TABLE `" . TABLE_FTP_USERS . "` CHANGE `password` varchar(255) NOT NULL default '';");
+	Database::query("ALTER TABLE `" . TABLE_FTP_USERS . "` ADD `password_compat` varchar(255) NOT NULL default '' AFTER `password`;");
+	// update existing entries
+	Database::query("UPDATE `" . TABLE_FTP_USERS . "` SET `password_compat` = `password`;");
+	// mail_users adjustments
+	Database::query("ALTER TABLE `" . TABLE_MAIL_USERS . "` CHANGE `password` varchar(255) NOT NULL default '';");
+	Database::query("ALTER TABLE `" . TABLE_MAIL_USERS . "` CHANGE `password_enc` varchar(255) NOT NULL default '';");
 	Update::lastStepStatus(0);
 
 	Update::showUpdateStep("Checking for multiple mysql-servers to allow acccess to customers for existing databases");

lib/Froxlor/Api/Commands/Ftps.php

@@ -173,15 +173,17 @@ class Ftps extends ApiCommand implements ResourceEntity
 			} else {
 				$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path);
 				$cryptPassword = Crypt::makeCryptPassword($password, false, true);
+				$cryptPasswordCompat = Crypt::makeCryptPassword($password, true, true);
 
 				$stmt = Database::prepare("INSERT INTO `" . TABLE_FTP_USERS . "`
-						(`customerid`, `username`, `description`, `password`, `homedir`, `login_enabled`, `uid`, `gid`, `shell`)
+						(`customerid`, `username`, `description`, `password`, `password_compat`, `homedir`, `login_enabled`, `uid`, `gid`, `shell`)
-						VALUES (:customerid, :username, :description, :password, :homedir, 'y', :guid, :guid, :shell)");
+						VALUES (:customerid, :username, :description, :password, :passwordc, :homedir, 'y', :guid, :guid, :shell)");
 				$params = [
 					"customerid" => $customer['customerid'],
 					"username" => $username,
 					"description" => $description,
 					"password" => $cryptPassword,
+					"passwordc" => $cryptPasswordCompat,
 					"homedir" => $path,
 					"guid" => $customer['guid'],
 					"shell" => $shell
@@ -442,16 +444,18 @@ class Ftps extends ApiCommand implements ResourceEntity
 				Response::standardError('passwordshouldnotbeusername', '', true);
 			}
 			$cryptPassword = Crypt::makeCryptPassword($password, false, true);
+			$cryptPasswordCompat = Crypt::makeCryptPassword($password, true, true);
 
 			$stmt = Database::prepare("UPDATE `" . TABLE_FTP_USERS . "`
-				SET `password` = :password
+				SET `password` = :password, `password_compat` = :passwordc
 				WHERE `customerid` = :customerid
 				AND `id` = :id
 			");
 			Database::pexecute($stmt, [
 				"customerid" => $customer['customerid'],
 				"id" => $id,
-				"password" => $cryptPassword
+				"password" => $cryptPassword,
+				"passwordc" => $cryptPasswordCompat
 			], true, true);
 			$this->logger()->logAction($this->isAdmin() ? FroxlorLogger::ADM_ACTION : FroxlorLogger::USR_ACTION, LOG_INFO, "[API] updated ftp-account password for '" . $result['username'] . "'");
 		}

lib/Froxlor/System/Crypt.php

@@ -207,24 +207,23 @@ class Crypt
 	 * @param string $password
 	 *            Password to be encrypted
 	 * @param bool $htpasswd
-	 *            optional whether to generate a SHA1 password for directory protection
+	 *            optional whether to generate a SHA1 password for directory protection, if this and $openssl is set, outputs sha1-hash
 	 * @param bool $openssl
-	 *            optional generates $htpasswd like strings but for proftpd
+	 *            optional generates $htpasswd like strings but for proftpd {algo}base64encoded_hash, if this and $htpasswd is set, outputs sha1-hash
-	 *
-	 * @return string encrypted password)
-	 *
-	 *         0 - default crypt (depends on system configuration)
-	 *         1 - MD5 $1$
-	 *         2 - BLOWFISH $2y$07$
-	 *         3 - SHA-256 $5$ (default)
-	 *         4 - SHA-512 $6$
 	 *
+	 * @return string encrypted password
 	 */
 	public static function makeCryptPassword($password, $htpasswd = false, $openssl = false)
 	{
 		if ($htpasswd || $openssl) {
+			if ($htpasswd && $openssl) {
+				// sha1 compatible for pure-ftpd (not encoded)
+				return sha1($password);
+			}
+			// sha1 hash for either dir-protection or (if openssl=1) for proftpd
 			return '{SHA' . ($openssl ? '1' : '') . '}' . base64_encode(sha1($password, true));
 		}
+		// crypt using the specified crypt-algorithm or system default
 		$algo = Settings::Get('system.passwordcryptfunc') !== null ? Settings::Get('system.passwordcryptfunc') : PASSWORD_DEFAULT;
 		return password_hash($password, $algo);
 	}

lib/configfiles/bionic.xml

@@ -4333,6 +4333,26 @@ TLSVerifyClient                         off
 				<!-- Pureftpd -->
 				<daemon name="pureftpd" title="PureFTPd">
 					<install><![CDATA[apt-get install pure-ftpd-common pure-ftpd-mysql]]></install>
+					<file name="/etc/pure-ftpd/create-cert.sh" chown="root:0"
+						chmod="0700">
+						<content><![CDATA[#!/bin/bash
+[ -f /etc/ssl/private/pure-ftpd.pem ] || openssl req -x509 -nodes -days 7300 -newkey rsa:4096 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
+openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 3072
+chmod 0600 /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd-dhparams.pem
+]]>
+						</content>
+					</file>
+					<commands index="1">
+						<command><![CDATA[/etc/pure-ftpd/create-cert.sh]]></command>
+						<command><![CDATA[rm -f /etc/pure-ftpd/create-cert.sh]]></command>
+					</commands>
+					<file name="/etc/pure-ftpd/conf/TLS"
+						chown="root:0" chmod="0644">
+						<content><![CDATA[
+1
+]]>
+						</content>
+					</file>
 					<file name="/etc/pure-ftpd/conf/MinUID" chown="root:0"
 						chmod="0644">
 						<content><![CDATA[
@@ -4439,7 +4459,7 @@ MYSQLCrypt      any
 
 # Query to execute in order to fetch the password
 
-MYSQLGetPW      SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
+MYSQLGetPW      SELECT password_compat FROM ftp_users WHERE username="\L" AND login_enabled="y"
 
 
 # Query to execute in order to fetch the system user name or uid

lib/configfiles/bookworm.xml

@@ -2972,6 +2972,26 @@ TLSVerifyClient                         off
 				<!-- Pureftpd -->
 				<daemon name="pureftpd" title="PureFTPd">
 					<install><![CDATA[apt-get install pure-ftpd-common pure-ftpd-mysql]]></install>
+					<file name="/etc/pure-ftpd/create-cert.sh" chown="root:0"
+						chmod="0700">
+						<content><![CDATA[#!/bin/bash
+[ -f /etc/ssl/private/pure-ftpd.pem ] || openssl req -x509 -nodes -days 7300 -newkey rsa:4096 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
+openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 3072
+chmod 0600 /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd-dhparams.pem
+]]>
+						</content>
+					</file>
+					<commands index="1">
+						<command><![CDATA[/etc/pure-ftpd/create-cert.sh]]></command>
+						<command><![CDATA[rm -f /etc/pure-ftpd/create-cert.sh]]></command>
+					</commands>
+					<file name="/etc/pure-ftpd/conf/TLS"
+						chown="root:0" chmod="0644">
+						<content><![CDATA[
+1
+]]>
+						</content>
+					</file>
 					<file name="/etc/pure-ftpd/conf/MinUID" chown="root:0"
 						chmod="0644">
 						<content><![CDATA[
@@ -3078,7 +3098,7 @@ MYSQLCrypt      any
 
 # Query to execute in order to fetch the password
 
-MYSQLGetPW      SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
+MYSQLGetPW      SELECT password_compat FROM ftp_users WHERE username="\L" AND login_enabled="y"
 
 
 # Query to execute in order to fetch the system user name or uid

lib/configfiles/bullseye.xml

@@ -4544,6 +4544,26 @@ TLSVerifyClient                         off
 				<!-- Pureftpd -->
 				<daemon name="pureftpd" title="PureFTPd">
 					<install><![CDATA[apt-get install pure-ftpd-common pure-ftpd-mysql]]></install>
+					<file name="/etc/pure-ftpd/create-cert.sh" chown="root:0"
+						chmod="0700">
+						<content><![CDATA[#!/bin/bash
+[ -f /etc/ssl/private/pure-ftpd.pem ] || openssl req -x509 -nodes -days 7300 -newkey rsa:4096 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
+openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 3072
+chmod 0600 /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd-dhparams.pem
+]]>
+						</content>
+					</file>
+					<commands index="1">
+						<command><![CDATA[/etc/pure-ftpd/create-cert.sh]]></command>
+						<command><![CDATA[rm -f /etc/pure-ftpd/create-cert.sh]]></command>
+					</commands>
+					<file name="/etc/pure-ftpd/conf/TLS"
+						chown="root:0" chmod="0644">
+						<content><![CDATA[
+1
+]]>
+						</content>
+					</file>
 					<file name="/etc/pure-ftpd/conf/MinUID" chown="root:0"
 						chmod="0644">
 						<content><![CDATA[
@@ -4650,7 +4670,7 @@ MYSQLCrypt      any
 
 # Query to execute in order to fetch the password
 
-MYSQLGetPW      SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
+MYSQLGetPW      SELECT password_compat FROM ftp_users WHERE username="\L" AND login_enabled="y"
 
 
 # Query to execute in order to fetch the system user name or uid

lib/configfiles/buster.xml

@@ -4535,6 +4535,26 @@ TLSVerifyClient                         off
 				<!-- Pureftpd -->
 				<daemon name="pureftpd" title="PureFTPd">
 					<install><![CDATA[apt-get install pure-ftpd-common pure-ftpd-mysql]]></install>
+					<file name="/etc/pure-ftpd/create-cert.sh" chown="root:0"
+						chmod="0700">
+						<content><![CDATA[#!/bin/bash
+[ -f /etc/ssl/private/pure-ftpd.pem ] || openssl req -x509 -nodes -days 7300 -newkey rsa:4096 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
+openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 3072
+chmod 0600 /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd-dhparams.pem
+]]>
+						</content>
+					</file>
+					<commands index="1">
+						<command><![CDATA[/etc/pure-ftpd/create-cert.sh]]></command>
+						<command><![CDATA[rm -f /etc/pure-ftpd/create-cert.sh]]></command>
+					</commands>
+					<file name="/etc/pure-ftpd/conf/TLS"
+						chown="root:0" chmod="0644">
+						<content><![CDATA[
+1
+]]>
+						</content>
+					</file>
 					<file name="/etc/pure-ftpd/conf/MinUID" chown="root:0"
 						chmod="0644">
 						<content><![CDATA[
@@ -4641,7 +4661,7 @@ MYSQLCrypt      any
 
 # Query to execute in order to fetch the password
 
-MYSQLGetPW      SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
+MYSQLGetPW      SELECT password_compat FROM ftp_users WHERE username="\L" AND login_enabled="y"
 
 
 # Query to execute in order to fetch the system user name or uid

lib/configfiles/focal.xml

@@ -3750,6 +3750,26 @@ TLSVerifyClient                         off
 				<!-- Pureftpd -->
 				<daemon name="pureftpd" title="PureFTPd">
 					<install><![CDATA[apt-get install pure-ftpd-common pure-ftpd-mysql]]></install>
+					<file name="/etc/pure-ftpd/create-cert.sh" chown="root:0"
+						chmod="0700">
+						<content><![CDATA[#!/bin/bash
+[ -f /etc/ssl/private/pure-ftpd.pem ] || openssl req -x509 -nodes -days 7300 -newkey rsa:4096 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
+openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 3072
+chmod 0600 /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd-dhparams.pem
+]]>
+						</content>
+					</file>
+					<commands index="1">
+						<command><![CDATA[/etc/pure-ftpd/create-cert.sh]]></command>
+						<command><![CDATA[rm -f /etc/pure-ftpd/create-cert.sh]]></command>
+					</commands>
+					<file name="/etc/pure-ftpd/conf/TLS"
+						chown="root:0" chmod="0644">
+						<content><![CDATA[
+1
+]]>
+						</content>
+					</file>
 					<file name="/etc/pure-ftpd/conf/MinUID" chown="root:0"
 						chmod="0644">
 						<content><![CDATA[
@@ -3856,7 +3876,7 @@ MYSQLCrypt      any
 
 # Query to execute in order to fetch the password
 
-MYSQLGetPW      SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
+MYSQLGetPW      SELECT password_compat FROM ftp_users WHERE username="\L" AND login_enabled="y"
 
 
 # Query to execute in order to fetch the system user name or uid

lib/configfiles/gentoo.xml

@@ -3525,6 +3525,19 @@ UseReverseDNS off
 				<daemon name="pureftpd" title="PureFTPd">
 					<command><![CDATA[echo "net-ftp/pure-ftpd mysql" >> /etc/portage/package.use/froxlor]]></command>
 					<install><![CDATA[emerge net-ftp/pure-ftpd]]></install>
+					<file name="/etc/pure-ftpd/create-cert.sh" chown="root:0"
+						chmod="0700">
+						<content><![CDATA[#!/bin/bash
+[ -f /etc/ssl/private/pure-ftpd.pem ] || openssl req -x509 -nodes -days 7300 -newkey rsa:4096 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
+openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 3072
+chmod 0600 /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd-dhparams.pem
+]]>
+						</content>
+					</file>
+					<commands index="1">
+						<command><![CDATA[/etc/pure-ftpd/create-cert.sh]]></command>
+						<command><![CDATA[rm -f /etc/pure-ftpd/create-cert.sh]]></command>
+					</commands>
 					<file name="/etc/conf.d/pure-ftpd" chown="root:0" chmod="0644"
 						backup="true">
 						<content><![CDATA[
@@ -3550,7 +3563,7 @@ DISK_FULL="-k 90%"
 AUTH="-l mysql:/etc/pureftpd-mysql.conf"
 
 ## Misc. Others ##
-MISC_OTHER="-A -x -j -Z"
+MISC_OTHER="-A -x -j -Z -Y 1"
 ]]>
 						</content>
 					</file>
@@ -3563,8 +3576,8 @@ MYSQLSocket     /var/run/mysqld/mysqld.sock
 MYSQLUser       <SQL_UNPRIVILEGED_USER>
 MYSQLPassword   <SQL_UNPRIVILEGED_PASSWORD>
 MYSQLDatabase   <SQL_DB>
-MYSQLCrypt      Crypt
+MYSQLCrypt      any
-MYSQLGetPW      SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
+MYSQLGetPW      SELECT password_compat FROM ftp_users WHERE username="\L" AND login_enabled="y"
 MYSQLGetUID     SELECT uid FROM ftp_users WHERE username="\L" AND login_enabled="y"
 MYSQLGetGID     SELECT gid FROM ftp_users WHERE username="\L" AND login_enabled="y"
 MYSQLGetDir     SELECT homedir FROM ftp_users WHERE username="\L" AND login_enabled="y"

lib/configfiles/jammy.xml

@@ -3750,6 +3750,26 @@ TLSVerifyClient                         off
 				<!-- Pureftpd -->
 				<daemon name="pureftpd" title="PureFTPd">
 					<install><![CDATA[apt-get install pure-ftpd-common pure-ftpd-mysql]]></install>
+					<file name="/etc/pure-ftpd/create-cert.sh" chown="root:0"
+						chmod="0700">
+						<content><![CDATA[#!/bin/bash
+[ -f /etc/ssl/private/pure-ftpd.pem ] || openssl req -x509 -nodes -days 7300 -newkey rsa:4096 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem -subj "/C=US/ST=Some-State/O=Internet Widgits Pty Ltd/CN=<SERVERNAME>"
+openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 3072
+chmod 0600 /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd-dhparams.pem
+]]>
+						</content>
+					</file>
+					<commands index="1">
+						<command><![CDATA[/etc/pure-ftpd/create-cert.sh]]></command>
+						<command><![CDATA[rm -f /etc/pure-ftpd/create-cert.sh]]></command>
+					</commands>
+					<file name="/etc/pure-ftpd/conf/TLS"
+						chown="root:0" chmod="0644">
+						<content><![CDATA[
+1
+]]>
+						</content>
+					</file>
 					<file name="/etc/pure-ftpd/conf/MinUID" chown="root:0"
 						chmod="0644">
 						<content><![CDATA[
@@ -3856,7 +3876,7 @@ MYSQLCrypt      any
 
 # Query to execute in order to fetch the password
 
-MYSQLGetPW      SELECT password FROM ftp_users WHERE username="\L" AND login_enabled="y"
+MYSQLGetPW      SELECT password_compat FROM ftp_users WHERE username="\L" AND login_enabled="y"
 
 
 # Query to execute in order to fetch the system user name or uid