How can ProFTPD read the password encrypted by the MySQL ENCRYPT () function?

Question

How can ProFTPD read the password encrypted by the MySQL ENCRYPT () function?

I installed ProFTPD so that it uses the mod_sql_mysql backend. Everything worked fine until I inserted the users into the SQL database. For this, I used the following query:

 INSERT INTO `auth`.`users` (`userid`, `passwd`, `uid`, `gid`, `homedir`, `shell`) VALUES ('username', ENCRYPT('bluefish'), '999', '999', '/dev/zero', '/bin/laden');

I can log in to my account just fine, but I really don't understand how ProFTPD reads the encrypted password "bluefish" because MySQL uses random salt if there is no salt there. This should result in different performance of ENCRYPT('bluefish') every time ProFTPD uses the MySQL server to check if the password for one entry in the database matches.

Everything works perfectly. How can ProFTPD know which salt has been used?

+4

mysql passwords encryption salt ftp

user2628088 Jul 28 '13 at 18:21

source share

1 answer

Ryan · Accepted Answer · 2013-08-04T05:14:34+0000

ProFTPD does not need to know what salt is.

In the MySQL documentation , ENCRYPT uses the Unix implementation of crypt() DES. As you indicated, if salt is not provided, a random salt is selected. According to the man pages:

The return value indicates an encrypted password, a series of 13 printed ASCII characters (the first two characters represent the salt itself).

You can verify this yourself by doing, for example:

 SELECT ENCRYPT ('blowfish');

which returns:

 201GDb8Aj8RGU

If you run

 select ENCRYPT ('blowfish', '201GDb8Aj8RGU');

You will get the same result 201GDb8Aj8RGU . Only the first two characters are used as salt.

It will be a little clearer if you provide your salt, for example:

 SELECT ENCRYPT ('blowfish', 'rb');

Return value:

 rbMle0EHJVXcI ^^

The salt you got has become much more obvious.

How can ProFTPD read the password encrypted by the MySQL ENCRYPT () function?

More articles: