Protecting the user ftp password

[durangod]

Hi,

I am adding a ftp signon to my software and plan to store that value using the php password_hash() function. My concern is that it may not mesh with how cpanel processes that data on the cpanel side of things for the users ftp account.

I don't need to know how cpanel does it, i just want to know if the ftp pw is submitted as a password_hash(), will cpanel accept the data as a pw hash. Users dont want to have to keep typing in their ftp information which is why i am adding this feature.

UPDATE: well i just ran a test with the hash and it did not work. Are we really suppose to send that pw over the request unhashed?

 

[cPanelMichael]

Hello,

You are authenticating with the FTP service installed on the server (e.g. PureFTPd, ProFTPd) as opposed to cPanel. Have you verified FTP authentication works successfully with that username/password in a FTP client such as Filezilla before testing it with a PHP script?

Thank you.

 

[durangod]

no sir i have not used the hash on filezilla or any of the third party ftp scripts. If the hash is created using php password_hash() then if the ftp account (same as cpanel to me because its under the cpanel software) accepts hash's then it should work, that sounds logical to me. This is why i say that cpanel or any of its derrivatives (ftp or otherwise) must not accept hashed content.

However for the sake of conversation i will recreate the hash and submit it via the manual connection for filezilla and see if it connect, but im really thinking it wont.

 

[sparek-3]

If you are wanting to store the password, you would need to look into some sort of 2-way encryption/decryption on your system. One that encrypts the plain-text password, stores that encrypted form in your system, and then your system would need to be able to decrypt the encrypted password back to the plain-text password, to pass on to FTP.

Of course, if the system is automatically encrypting and decrypting the password, then it's still a single point of failure. Because if someone gets access to that code, they can decrypt the stored encrypted passwords.

 

[durangod]

yes sparek exactly, i might as well just use nothing because anything i use that is one way is useless. In this day and age its hard for me to imagine the fact that any software still sends password data unhashed over a request, regardess how secure the request is. All pw should be hashed. At least give us the option like some attribute we can add to the ftp request to tell it that we are using hashed data and filter it accordingly.

OH but wait, i forgot!! The priority was forum eye candy not security... oh now i got it.

 

[sparek-3]

Well, even if the FTP accepted the hashed password, what would be gained?

If someone hacks or otherwise attains the password hash, if FTP accepts the hashed password, they would be able to log in via FTP.

So regardless if the password is stored as:

stupidpass

or as

51bd5b8ad8a3d9510794a403

If either allow FTP logins, then there's nothing to be gained.

Alternatively, you can look into using SFTP or FTP over Explicit TLS to encrypt the passing of the password in the connection. Doesn't solve the storing problem, but would prevent listeners from listening to the connection and getting the password.

 

[durangod]

So why cant it work like a normal PW. Aside from the transmission part, the system takes what is entered and hashes it, if the hashes match then its a go, if not then its denied, there is no unhashing of it. We have that kind of security with other PW's so why not the FTP PW. Besides i cant be asking people that use my plugin to set up a different kind of ftp just because cpanel seems behind the times and sitting down on this one. Security in every way should be a priority, regardless.

Also dont forget im not asking to reinvent the wheel here, they dont have to take away the current process. Just add an alternative process for hashes, so we can call on that process when we need to.

 

[cPanelMichael]

Hello,

Pure-FTPd does offer some documentation that you may find helpful at:

https://download.pureftpd.org/pub/pure-ftpd/doc/README.Authentication-Modules

However, there's no native support for this in cPanel, as you mentioned. Have you considered opening a feature request for this? You can do so via:

Submit A Feature Request

Thank you.