[Bug 1630955] Re: proftpd 1.3.5a-1build1 with SQLAuthTypes other than plaintext doesn't recognize passwords

Amr Ibrahim 1630955 at bugs.launchpad.net
Thu Jun 29 14:10:52 UTC 2017 

** Package changed: proftpd (Ubuntu) => proftpd-dfsg (Ubuntu)

-- 
You received this bug notification because you are a member of ProFTPD
Maintainance Team, which is subscribed to proftpd-dfsg in Ubuntu.
https://bugs.launchpad.net/bugs/1630955

Title:
  proftpd 1.3.5a-1build1 with SQLAuthTypes other than plaintext  doesn't
  recognize passwords

Status in proftpd-dfsg package in Ubuntu:
  Confirmed

Bug description:
  On Ubuntu server 16.04.1 AMD64, i can't login on proftpd since no plaintext passwords aren't recognized anymore.
  I'm usually running Backend SQLAuthTypes.

  Version information :
  ~# proftpd -V
  Compile-time Settings:
    Version: 1.3.5a (maint)
    Platform: LINUX [Linux 4.4.0-38-generic x86_64]
    Built: Tue Apr 5 2016 13:36:50 UTC
    Built With:
      configure  'CFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security' 'FCFLAGS=-g -O2 -fstack-protector-strong' 'FFLAGS=-g -O2 -fstack-protector-strong' 'GCJFLAGS=-g -O2 -fstack-protector-strong' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 'OBJCFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security' 'OBJCXXFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-security' '--prefix=/usr' '--with-includes=/usr/include/postgresql:/usr/include/mysql' '--mandir=/usr/share/man' '--sysconfdir=/etc/proftpd' '--localstatedir=/run' '--libexecdir=/usr/lib/proftpd' '--enable-sendfile' '--enable-facl' '--enable-dso' '--enable-autoshadow' '--enable-ctrls' '--with-modules=mod_readme' '--enable-ipv6' '--enable-nls' '--enable-memcache' '--with-lastlog=/var/log/lastlog' '--enable-pcre' '--build' 'x86_64-linux-gnu' '--with-shared=mod_unique_id:mod_site_misc:mod_load:mod_ban:mod_quotatab:mod_sql:mod_sql_mysql:mod_sql_postgres:mod_sql_sqlite:mod_sql_odbc:mod_dynmasq:mod_quotatab_sql:mod_ldap:mod_quotatab_ldap:mod_ratio:mod_tls:mod_rewrite:mod_radius:mod_wrap:mod_wrap2:mod_wrap2_file:mod_wrap2_sql:mod_quotatab_file:mod_quotatab_radius:mod_facl:mod_ctrls_admin:mod_copy:mod_deflate:mod_ifversion:mod_tls_memcache:mod_geoip:mod_exec:mod_sftp:mod_sftp_pam:mod_sftp_sql:mod_shaper:mod_sql_passwd:mod_ifsession' 'build_alias=x86_64-linux-gnu'

    CFLAGS: -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wall
    LDFLAGS: -L$(top_srcdir)/lib -Wl,-Bsymbolic-functions -Wl,-z,relro  -L/usr/lib/x86_64-linux-gnu -L/usr/lib/x86_64-linux-gnu
    LIBS:  -lpcreposix -lpcre -lssl -lcrypto -lcap  -lmemcached -lmemcachedutil  -lpam -lsupp -lcrypt -ldl

    Files:
      Configuration File:
        /etc/proftpd/proftpd.conf
      Pid File:
        /run/proftpd.pid
      Scoreboard File:
        /run/proftpd.scoreboard
      Header Directory:
        /usr/include/proftpd
      Shared Module Directory:
        /usr/lib/proftpd

    Features:
      + Autoshadow support
      + Controls support
      + curses support
      - Developer support
      + DSO support
      + IPv6 support
      + Largefile support
      + Lastlog support
      + Memcache support
      + ncurses support
      + NLS support
      + OpenSSL support
      + PCRE support
      + POSIX ACL support
      + Shadow file support
      + Sendfile support
      + Trace support

    Tunable Options:
      PR_TUNABLE_BUFFER_SIZE = 1024
      PR_TUNABLE_DEFAULT_RCVBUFSZ = 8192
      PR_TUNABLE_DEFAULT_SNDBUFSZ = 8192
      PR_TUNABLE_GLOBBING_MAX_MATCHES = 100000
      PR_TUNABLE_GLOBBING_MAX_RECURSION = 8
      PR_TUNABLE_HASH_TABLE_SIZE = 40
      PR_TUNABLE_NEW_POOL_SIZE = 512
      PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80
      PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30
      PR_TUNABLE_SELECT_TIMEOUT = 30
      PR_TUNABLE_TIMEOUTIDENT = 10
      PR_TUNABLE_TIMEOUTIDLE = 600
      PR_TUNABLE_TIMEOUTLINGER = 30
      PR_TUNABLE_TIMEOUTLOGIN = 300
      PR_TUNABLE_TIMEOUTNOXFER = 300
      PR_TUNABLE_TIMEOUTSTALLED = 3600
      PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10

  
  Logs from running proftpd -nd10 :
  2016-10-02 15:49:21,579 ftp proftpd[11000] : retrieved UID 33 for user 'test'
  2016-10-02 15:49:21,579 ftp proftpd[11000] : no supplemental groups found for user 'test'
  2016-10-02 15:49:21,580 ftp proftpd[11000] : USER test (Login failed): No such user found
  2016-10-02 15:49:21,580 ftp proftpd[11000] : dispatching POST_CMD_ERR command 'PASS (hidden)' to mod_sql
  2016-10-02 15:49:21,580 ftp proftpd[11000] : dispatching POST_CMD_ERR command 'PASS (hidden)' to mod_vroot
  2016-10-02 15:49:21,580 ftp proftpd[11000] : dispatching POST_CMD_ERR command 'PASS (hidden)' to mod_wrap2
  2016-10-02 15:49:21,580 ftp proftpd[11000] : dispatching POST_CMD_ERR command 'PASS (hidden)' to mod_delay
  2016-10-02 15:49:21,583 ftp proftpd[11000] : dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_sql
  2016-10-02 15:49:21,583 ftp proftpd[11000] : dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_log
  2016-10-02 15:49:21,584 ftp proftpd[11000] : dispatching LOG_CMD_ERR command 'PASS (hidden)' to mod_auth
  2016-10-02 15:49:21,597 ftp proftpd[11000] : mod_tls/2.6: scrubbing 1 passphrase from memory

  
  Log from sql module :
  2016-10-02 15:35:24,628 mod_sql/4.3[10669]: query "SELECT userid, passwd, uid, gid, homedir, shell FROM users WHERE (userid='test') AND (((LoginAllowed = 'true'))) LIMIT 1"
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: entering    mysql cmd_close
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: connection 'default' count is now 1
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: exiting     mysql cmd_close
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: exiting     mysql cmd_select
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: cache miss for user 'test'
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: user 'test' cached
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: + pwd.pw_name  : test
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: + pwd.pw_uid   : 33
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: + pwd.pw_gid   : 33
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: + pwd.pw_dir   : /var/www
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: + pwd.pw_shell : /bin/false
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: <<< cmd_getpwnam
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: >>> cmd_getgrgid
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: cache miss for GID '33'
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: entering    mysql cmd_select
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: entering    mysql cmd_open
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: connection 'default' count is now 2
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: exiting     mysql cmd_open
  2016-10-02 15:35:24,629 mod_sql/4.3[10669]: query "SELECT groupname FROM groups WHERE (gid = 33) LIMIT 1"
  2016-10-02 15:35:24,630 mod_sql/4.3[10669]: entering    mysql cmd_close
  2016-10-02 15:35:24,630 mod_sql/4.3[10669]: connection 'default' count is now 1
  2016-10-02 15:35:24,630 mod_sql/4.3[10669]: exiting     mysql cmd_close
  2016-10-02 15:35:24,630 mod_sql/4.3[10669]: exiting     mysql cmd_select
  2016-10-02 15:35:24,630 mod_sql/4.3[10669]: <<< cmd_getgrgid
  2016-10-02 15:35:24,630 mod_sql/4.3[10669]: >>> cmd_getgroups

  ...

  2016-10-02 15:38:20,605 mod_sql/4.3[10728]: query "SELECT groupname, gid, members FROM groups WHERE (members = 'test' OR members LIKE 'test,%' OR members LIKE '%,test' OR members LIKE '%,test,%')"
  2016-10-02 15:38:20,605 mod_sql/4.3[10728]: entering    mysql cmd_close
  2016-10-02 15:38:20,605 mod_sql/4.3[10728]: connection 'default' count is now 1
  2016-10-02 15:38:20,605 mod_sql/4.3[10728]: exiting     mysql cmd_close
  2016-10-02 15:38:20,605 mod_sql/4.3[10728]: exiting     mysql cmd_select
  2016-10-02 15:38:20,605 mod_sql/4.3[10728]: <<< cmd_getgroups
  2016-10-02 15:38:20,606 mod_sql/4.3[10728]: >>> cmd_auth
  2016-10-02 15:38:20,606 mod_sql/4.3[10728]: entering    mysql cmd_escapestring
  2016-10-02 15:38:20,606 mod_sql/4.3[10728]: entering    mysql cmd_open
  2016-10-02 15:38:20,606 mod_sql/4.3[10728]: connection 'default' count is now 2
  2016-10-02 15:38:20,606 mod_sql/4.3[10728]: exiting     mysql cmd_open
  2016-10-02 15:38:20,606 mod_sql/4.3[10728]: entering    mysql cmd_close
  2016-10-02 15:38:20,606 mod_sql/4.3[10728]: connection 'default' count is now 1
  2016-10-02 15:38:20,606 mod_sql/4.3[10728]: exiting     mysql cmd_close
  2016-10-02 15:38:20,606 mod_sql/4.3[10728]: exiting     mysql cmd_escapestring
  2016-10-02 15:38:20,606 mod_sql/4.3[10728]: cache hit for user 'test'
  2016-10-02 15:38:20,606 mod_sql/4.3[10728]: >>> cmd_check
  2016-10-02 15:38:20,606 mod_sql/4.3[10728]: checking password using SQLAuthType 'Backend'
  2016-10-02 15:38:20,606 mod_sql/4.3[10728]: entering    mysql cmd_checkauth
  2016-10-02 15:38:20,606 mod_sql/4.3[10728]: password mismatch
  2016-10-02 15:38:20,606 mod_sql/4.3[10728]: exiting     mysql cmd_checkauth
  2016-10-02 15:38:20,606 mod_sql/4.3[10728]: 'Backend' SQLAuthType handler reports failure

  
  proftpd.conf :
  Include /etc/proftpd/modules.conf

  DefaultAddress                  178.33.254.58
  SocketBindTight                 on
  UseIPv6            on
  IdentLookups         off
  ServerName         "ftp"
  ServerIdent         off
  ServerType         standalone
  DeferWelcome         on
  MultilineRFC2228      on
  #DefaultServer         on
  ShowSymlinks         on
  TimeoutNoTransfer      600
  TimeoutStalled         600
  TimeoutIdle         1200
  ListOptions                   "-l"
  DenyFilter         \*.*/
  DefaultRoot         ~
  RequireValidShell      off
  Port            21
  AllowForeignAddress      on
  MaxInstances         30
  User            proftpd
  Group            nogroup
  Umask            022  022
  AllowOverwrite         on

  TransferLog /var/log/proftpd/xferlog
  SystemLog   /var/log/proftpd/proftpd.log

  <IfModule mod_quotatab.c>
  QuotaEngine off
  </IfModule>

  <IfModule mod_ratio.c>
  Ratios off
  </IfModule>

  <IfModule mod_delay.c>
  DelayEngine on
  </IfModule>

  <IfModule mod_ctrls.c>
  ControlsEngine        off
  ControlsMaxClients    2
  ControlsLog           /var/log/proftpd/controls.log
  ControlsInterval      5
  ControlsSocket        /var/run/proftpd/proftpd.sock
  </IfModule>

  <IfModule mod_ctrls_admin.c>
  AdminControlsEngine off
  </IfModule>

  Include /etc/proftpd/sql.conf
  Include /etc/proftpd/tls.conf

  
  * sql.conf
  <IfModule mod_sql.c>
  SQLBackend   mysql
  SQLEngine on
  SQLAuthenticate on
  SQLAuthTypes Backend
  SQLConnectInfo proftpd at localhost proftpd XXXXXXXXXXXXX
  SQLUserInfo users userid passwd uid gid homedir shell
  SQLUserWhereClause "LoginAllowed = 'true'"
  SQLGroupInfo groups groupname gid members
  SQLAuthenticate users* groups*
  SQLLogFile /var/log/proftpd/sql.log
  SQLLog PASS updatecount
  SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE userid='%u'" users
  SQLMinID 33
  SQLMinUserGID 33
  SQLMinUserUID 33
  SQLDefaultUID 33
  SQLDefaultGID 33

  <IfModule mod_auth_pam.c>
  AuthPAM off
  </IfModule>

  </IfModule>


  If i change SQLAuthTypes to PlainText and set plaintext password in users table, it works.
  I tried with sha-512 :
      LoadModule mod_sql_passwd.c
      SQLAuthTypes SHA512

  Generated a password and put it to an user in my mysql database :
      mkpasswd -m sha-512

  Then, tried to connect :
      2016-10-05 18:11:05,859 mod_sql/4.3[5030]: checking password using SQLAuthType 'sha512'
      2016-10-05 18:11:05,859 mod_sql/4.3[5030]: 'sha512' SQLAuthType handler reports failure

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/proftpd-dfsg/+bug/1630955/+subscriptions

More information about the Pkg-proftpd-maintainers mailing list