Bug#965077: MySQL database with "SQLAUthTypes Backend" doesn't work anymore in buster

Andreas Trottmann andreas.trottmann at werft22.com
Wed Jul 15 18:11:45 BST 2020


Package: proftpd-mod-mysql
Version: 1.3.6-4+deb10u5
Tags: patch

I am using an admin tool that saves account information in a MySQL / 
MariaDB-Datbase and uses the "password()" function to obfuscate stored 
passwords.

This has been working "out of the box" in the Stretch version of ProFTPD 
using the configuration option "SQLAUthTypes Backend". It doesn't work 
anymore in the Buster version; users can't authenticate anymore.

Apparently, the function contrib/mod_sql_mysql.c tries to use an 
undocumented function of libmysqlclient to create the obfuscated 
password; it switches between my_make_scrambled_password,
my_make_scrambled_password_323, make_scrambled_password and 
make_scrammbed_password_323. It appears that in the Buster version of 
libmysqlcilent, none of these are available and thus it can't ever 
create an obfuscated password from what the user logging in has provided.



Googling led me to a similar problem in pure-ftpd that had a patch here:

https://serverfault.com/questions/861176/pure-ftpd-mysql-wont-start-after-updating-mariadb-to-10-2

This patch basically recreates the function of the 
*make_scrambled_password* functions using the SHA-1 implementation in libmd.

I have modified this to apply to ProFTPD and attached the patch to this 
e-mail. In my tests, this has worked.

Kind regards

-- 
Andreas Trottmann



More information about the Pkg-proftpd-maintainers mailing list