diff --git a/README.md b/README.md index 6f77cee4..d6996ef3 100644 --- a/README.md +++ b/README.md @@ -234,7 +234,7 @@ sftpgo serve For each account the following properties can be configured: - `username` -- `password` used for password authentication. For users created using SFTPGo REST API if the password has no known hashing algo prefix it will be stored using argon2id. SFTPGo supports checking passwords stored with bcrypt and pbkdf2 too. For pbkdf2 the supported format is `$$$$`, where algo is `pbkdf2-sha1` or `pbkdf2-sha256` or `pbkdf2-sha512`. For example the `pbkdf2-sha256` of the word `password` using 150000 iterations and `E86a9YMX3zC7` as salt must be stored as `$pbkdf2-sha256$150000$E86a9YMX3zC7$R5J62hsSq+pYw00hLLPKBbcGXmq7fj5+/M0IFoYtZbo=`. For bcrypt the format must be the one supported by golang's [crypto/bcrypt](https://godoc.org/golang.org/x/crypto/bcrypt) package, for example the password `secret` with cost `14` must be stored as `$2a$14$ajq8Q7fbtFRQvXpdCq7Jcuy.Rx1h/L4J60Otx.gyNLbAYctGMJ9tK`. Using the REST API you can send a password hashed as bcrypt or pbkdf2 and it will be stored as is. +- `password` used for password authentication. For users created using SFTPGo REST API if the password has no known hashing algo prefix it will be stored using argon2id. SFTPGo supports checking passwords stored with bcrypt, pbkdf2 and sha512crypt too. For pbkdf2 the supported format is `$$$$`, where algo is `pbkdf2-sha1` or `pbkdf2-sha256` or `pbkdf2-sha512`. For example the `pbkdf2-sha256` of the word `password` using 150000 iterations and `E86a9YMX3zC7` as salt must be stored as `$pbkdf2-sha256$150000$E86a9YMX3zC7$R5J62hsSq+pYw00hLLPKBbcGXmq7fj5+/M0IFoYtZbo=`. For bcrypt the format must be the one supported by golang's [crypto/bcrypt](https://godoc.org/golang.org/x/crypto/bcrypt) package, for example the password `secret` with cost `14` must be stored as `$2a$14$ajq8Q7fbtFRQvXpdCq7Jcuy.Rx1h/L4J60Otx.gyNLbAYctGMJ9tK`. For sha512crypt we support the format used in `/etc/shadow` with the `$6$` prefix, this is useful if you are migrating from system user's accounts. Using the REST API you can send a password hashed as bcrypt, pbkdf2 or sha512crypt and it will be stored as is. - `public_keys` array of public keys. At least one public key or the password is mandatory. - `home_dir` The user cannot upload or download files outside this directory. Must be an absolute path - `uid`, `gid`. If sftpgo runs as root system user then the created files and directories will be assigned to this system uid/gid. Ignored on windows and if sftpgo runs as non root user: in this case files and directories for all SFTP users will be owned by the system user that runs sftpgo. diff --git a/dataprovider/dataprovider.go b/dataprovider/dataprovider.go index 24c667d3..3bfb077d 100644 --- a/dataprovider/dataprovider.go +++ b/dataprovider/dataprovider.go @@ -44,8 +44,8 @@ const ( pbkdf2SHA256Prefix = "$pbkdf2-sha256$" pbkdf2SHA512Prefix = "$pbkdf2-sha512$" sha512cryptPwdPrefix = "$6$" - manageUsersDisabledError = "please set manage_users to 1 in sftpgo.conf to enable this method" - trackQuotaDisabledError = "please enable track_quota in sftpgo.conf to use this method" + manageUsersDisabledError = "please set manage_users to 1 in your configuration to enable this method" + trackQuotaDisabledError = "please enable track_quota in your configuration to use this method" ) var ( diff --git a/go.mod b/go.mod index 4029f6b6..fed27f9c 100644 --- a/go.mod +++ b/go.mod @@ -10,6 +10,7 @@ require ( github.com/lib/pq v1.2.0 github.com/magiconair/properties v1.8.1 // indirect github.com/mattn/go-sqlite3 v1.11.0 + github.com/nathanaelle/password v1.0.0 github.com/pelletier/go-toml v1.4.0 // indirect github.com/pkg/sftp v1.10.2-0.20190913011139-8fc59612f2b0 github.com/prometheus/client_golang v1.1.0 diff --git a/go.sum b/go.sum index 8ed33dd1..646e9c41 100644 --- a/go.sum +++ b/go.sum @@ -95,6 +95,8 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/nathanaelle/password v1.0.0 h1:1Etka3uuBvATlCb72f7P5vsgedus+C91Fgff1oMloq0= +github.com/nathanaelle/password v1.0.0/go.mod h1:wt9xV3xwQmc3Qi0ofowmzR7N+kF1L4cguCuWjAfdj1Q= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.4.0 h1:u3Z1r+oOXJIkxqw34zVhyPgjBsm6X2wn21NWs/HfSeg= diff --git a/sftpd/sftpd_test.go b/sftpd/sftpd_test.go index e8ec7db1..7fb15190 100644 --- a/sftpd/sftpd_test.go +++ b/sftpd/sftpd_test.go @@ -1196,6 +1196,39 @@ func TestPasswordsHashBcrypt(t *testing.T) { os.RemoveAll(user.GetHomeDir()) } +func TestPasswordsHashSHA512Crypt(t *testing.T) { + sha512CryptPwd := "$6$459ead56b72e44bc$uog86fUxscjt28BZxqFBE2pp2QD8P/1e98MNF75Z9xJfQvOckZnQ/1YJqiq1XeytPuDieHZvDAMoP7352ELkO1" + clearPwd := "secret" + usePubKey := false + u := getTestUser(usePubKey) + u.Password = sha512CryptPwd + user, _, err := api.AddUser(u, http.StatusOK) + if err != nil { + t.Errorf("unable to add user: %v", err) + } + user.Password = clearPwd + client, err := getSftpClient(user, usePubKey) + if err != nil { + t.Errorf("unable to login with sha512 crypt password: %v", err) + } else { + defer client.Close() + _, err = client.Getwd() + if err != nil { + t.Errorf("unable to get working dir with sha512 crypt password: %v", err) + } + } + user.Password = sha512CryptPwd + _, err = getSftpClient(user, usePubKey) + if err == nil { + t.Errorf("login with wrong password must fail") + } + _, err = api.RemoveUser(user, http.StatusOK) + if err != nil { + t.Errorf("unable to remove user: %v", err) + } + os.RemoveAll(user.GetHomeDir()) +} + func TestPermList(t *testing.T) { usePubKey := true u := getTestUser(usePubKey)