The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Protecting the user ftp password

Discussion in 'cPanel Developers' started by durangod, Jun 4, 2016.

  1. durangod

    durangod Well-Known Member

    Joined:
    May 12, 2012
    Messages:
    251
    Likes Received:
    10
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    Hi,

    I am adding a ftp signon to my software and plan to store that value using the php password_hash() function. My concern is that it may not mesh with how cpanel processes that data on the cpanel side of things for the users ftp account.

    I don't need to know how cpanel does it, i just want to know if the ftp pw is submitted as a password_hash(), will cpanel accept the data as a pw hash. Users dont want to have to keep typing in their ftp information which is why i am adding this feature.

    UPDATE: well i just ran a test with the hash and it did not work. Are we really suppose to send that pw over the request unhashed?
     
    #1 durangod, Jun 4, 2016
    Last edited: Jun 4, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    You are authenticating with the FTP service installed on the server (e.g. PureFTPd, ProFTPd) as opposed to cPanel. Have you verified FTP authentication works successfully with that username/password in a FTP client such as Filezilla before testing it with a PHP script?

    Thank you.
     
  3. durangod

    durangod Well-Known Member

    Joined:
    May 12, 2012
    Messages:
    251
    Likes Received:
    10
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    no sir i have not used the hash on filezilla or any of the third party ftp scripts. If the hash is created using php password_hash() then if the ftp account (same as cpanel to me because its under the cpanel software) accepts hash's then it should work, that sounds logical to me. This is why i say that cpanel or any of its derrivatives (ftp or otherwise) must not accept hashed content.

    However for the sake of conversation i will recreate the hash and submit it via the manual connection for filezilla and see if it connect, but im really thinking it wont.
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,382
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    If you are wanting to store the password, you would need to look into some sort of 2-way encryption/decryption on your system. One that encrypts the plain-text password, stores that encrypted form in your system, and then your system would need to be able to decrypt the encrypted password back to the plain-text password, to pass on to FTP.

    Of course, if the system is automatically encrypting and decrypting the password, then it's still a single point of failure. Because if someone gets access to that code, they can decrypt the stored encrypted passwords.
     
  5. durangod

    durangod Well-Known Member

    Joined:
    May 12, 2012
    Messages:
    251
    Likes Received:
    10
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    yes sparek exactly, i might as well just use nothing because anything i use that is one way is useless. In this day and age its hard for me to imagine the fact that any software still sends password data unhashed over a request, regardess how secure the request is. All pw should be hashed. At least give us the option like some attribute we can add to the ftp request to tell it that we are using hashed data and filter it accordingly.

    OH but wait, i forgot!! The priority was forum eye candy not security... oh now i got it.
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,382
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Well, even if the FTP accepted the hashed password, what would be gained?

    If someone hacks or otherwise attains the password hash, if FTP accepts the hashed password, they would be able to log in via FTP.

    So regardless if the password is stored as:

    stupidpass

    or as

    51bd5b8ad8a3d9510794a403

    If either allow FTP logins, then there's nothing to be gained.

    Alternatively, you can look into using SFTP or FTP over Explicit TLS to encrypt the passing of the password in the connection. Doesn't solve the storing problem, but would prevent listeners from listening to the connection and getting the password.
     
  7. durangod

    durangod Well-Known Member

    Joined:
    May 12, 2012
    Messages:
    251
    Likes Received:
    10
    Trophy Points:
    18
    cPanel Access Level:
    Website Owner
    So why cant it work like a normal PW. Aside from the transmission part, the system takes what is entered and hashes it, if the hashes match then its a go, if not then its denied, there is no unhashing of it. We have that kind of security with other PW's so why not the FTP PW. Besides i cant be asking people that use my plugin to set up a different kind of ftp just because cpanel seems behind the times and sitting down on this one. Security in every way should be a priority, regardless.

    Also dont forget im not asking to reinvent the wheel here, they dont have to take away the current process. Just add an alternative process for hashes, so we can call on that process when we need to.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page