Request: ftpserver.json support for pre-hashed passwords
wanieru opened this issue · 1 comments
Hi, thanks for making this, it works like a charm.
Is there any chance for ftpserver.json supporting pre-hashed passwords, so I don't have to have the plain-text passwords in the file?
Looking into it, I think a good system would be to allow for the password to be a bcrypt hash, since it's a well established password hashing algorithm, and it's easy for the user to produce such a hash to put into the config file.
I'm not well-versed in go, but in config.go 's GetAccess function, it could perhaps find the Accesses element where a.User == user, and then try to parse a.Pass as a bcrypt hash. If it succeeds, you use a bcrypt compare function against the provided pass. If that succeeds you return a, nil. If the bcrypt comparison fails, you can continue/break the loop. If the parsing fails, i.e. a.Pass is not a bcrypt hash, you do the same normal comparison on the password as right now: a.Pass == pass || (a.User == "anonymous" && a.Pass == "*") and return a, nil if that passes.
As pseudo-code:
function GetAccess taking user and pass:
for each Access a:
if a.User == user:
if parsing a.Pass as bcrypt succeeds: #a.Pass is a bcrypt hash
if bcrypt_compare(a.Pass, pass):
return access granted
else: #a.Pass is not a bcrypt hash
if a.Pass == pass || (a.User == "anonymous" && a.Pass == "*"):
return access granted
return access denied
I'd do a fork or a PR, but as I said, I'm not that well-versed in go. But I might give it a shot later.
Edit: as a side note, is there ever a world in which you want plain-text passwords lying around in your config files? Perhaps ftpserver could bcrypt-hash any plain-text passwords it finds and overwrite the config file. That would allow the admin to configure users with their plain-text passwords, and if you have the config file in a volume, it will automatically be hashed when the server runs.