Question
I am trying to install a vsftpd with some virtual users using the Berkeley DB. I have mainly followed this guide: http://www.neant.ro/2012/04/secure-ftp-with-vsftpd/ . Everything works fine, but I want to have the passwords hashed inside the database. I am using CentOS 6.3 with glibc 2.12.
From the manpage of pam_userdb.so I assume that I can use what crypt provides. If we take a look of crypt(3) manpage we can use SHA-256 and SHA-512. I would to use one of those.
My doubt is how to implement it. From what I know i need to go to my pam.d file and edit and add the argument crypt but... which value should I give it? 5 for SHA-256? 6 for SHA-512?
https://stackoverflow.com/questions/15767273
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianauth sufficient pam_userdb.so db=/path/to/db/virtual-users crypt=?
account sufficient pam_userdb.so db=/path/to/db/virtual-users crypt=?
session sufficient pam_loginuid.so
Now I need the password in SHA-256/SHA-512 inside the database. Which is the correct way to get the hash? I suppose I have to use the crypt function. However, I need to get it using Ruby, is there any way?
Thanks in advance for the help,
Solution
There is no way. You should say crypt=crypt (other options are rejected) but mod_userdb won't accept non-DES hashes, at least, not until you get a version of PAM that has this fix in it (Ubuntu Saucy doesn't, for one).
I, for one, compiled my own PAM to have that fix.
OTHER TIPS
This is fixed. Debian Jessie's version 1.1.8-3 of libpam-modules seems fixed too.
To insert a line use db5.3-util or similar:
{ echo user; echo hash; } | db5.3_load -T -t hash /tmp/passwd.db
To generate a crypt-valid strong hash:
echo pass|mkpasswd -s -m sha-512
The "debug" option of this pam module is useful (check /var/log/auth.log) as is pamtester
