4

I am trying to install a vsftpd with some virtual users using the Berkeley DB. I have mainly followed this guide: http://www.neant.ro/2012/04/secure-ftp-with-vsftpd/ . Everything works fine, but I want to have the passwords hashed inside the database. I am using CentOS 6.3 with glibc 2.12.

From the manpage of pam_userdb.so I assume that I can use what crypt provides. If we take a look of crypt(3) manpage we can use SHA-256 and SHA-512. I would to use one of those.

My doubt is how to implement it. From what I know i need to go to my pam.d file and edit and add the argument crypt but... which value should I give it? 5 for SHA-256? 6 for SHA-512?

auth    sufficient pam_userdb.so db=/path/to/db/virtual-users crypt=?
account sufficient pam_userdb.so db=/path/to/db/virtual-users crypt=?
session sufficient pam_loginuid.so

Now I need the password in SHA-256/SHA-512 inside the database. Which is the correct way to get the hash? I suppose I have to use the crypt function. However, I need to get it using Ruby, is there any way?

Thanks in advance for the help,

Alfred Huang
  • 17,654
  • 32
  • 118
  • 189
hveiga
  • 6,725
  • 7
  • 54
  • 78

2 Answers2

2

There is no way. You should say crypt=crypt (other options are rejected) but mod_userdb won't accept non-DES hashes, at least, not until you get a version of PAM that has this fix in it (Ubuntu Saucy doesn't, for one).

I, for one, compiled my own PAM to have that fix.

Mrten
  • 482
  • 5
  • 12
  • Thanks for answering, could you please share with me your compiled version or telling me how to do myself? Thanks again! – hveiga Oct 01 '13 at 22:25
1

This is fixed. Debian Jessie's version 1.1.8-3 of libpam-modules seems fixed too.

To insert a line use db5.3-util or similar:

{ echo user; echo hash; } | db5.3_load -T -t hash /tmp/passwd.db

To generate a crypt-valid strong hash:

echo pass|mkpasswd -s -m sha-512

The "debug" option of this pam module is useful (check /var/log/auth.log) as is pamtester

drzraf
  • 451
  • 4
  • 11