<!-- $Id: mod_sql_passwd.html,v 1.8 2010/02/01 19:30:13 castaglia Exp $ --> <!-- $Source: /cvsroot/proftp/proftpd/doc/contrib/mod_sql_passwd.html,v $ --> <html> <head> <title>ProFTPD module mod_sql_passwd</title> </head> <body bgcolor=white> <hr> <center> <h2><b>ProFTPD module <code>mod_sql_passwd</code></b></h2> </center> <hr><br> <p> Many FTP sites use SQL databases for storing user accounts, including the user name and password. And while the <code>mod_sql</code> module provides support for some formats for the passwords stored in SQL databases, many sites have other formats which are <i>not</i> supported by <code>mod_sql</code>. These other formats often include MD5 or SHA1 passwords, base64-encoded or hex-encoded, <i>without</i> the prefix which is required by <code>mod_sql</code>'s "OpenSSL" <code>SQLAuthType</code>. <p> The <code>mod_sql_passwd</code> module provides support for some of these other formats. When the <code>mod_sql_passwd</code> module is enabled, you can configure <code>SQLAuthTypes</code> of "MD5", "SHA1", "SHA256", or "SHA512", as well as the existing types supported by <code>mod_sql</code>. <p> This module is contained in the <code>mod_sql_passwd.c</code> file for ProFTPD 1.3.<i>x</i>, and is not compiled by default. Installation instructions are discussed <a href="#Installation">here</a>; a discussion on <a href="#Usage">usage</a> is also available. <p> This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). <p> This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). <p> The most current version of <code>mod_sql_passwd</code> is distributed with ProFTPD. <h2>Author</h2> <p> Please contact TJ Saunders <tj <i>at</i> castaglia.org> with any questions, concerns, or suggestions regarding this module. <h2>Directives</h2> <ul> <li><a href="#SQLPasswordEncoding">SQLPasswordEncoding</a> <li><a href="#SQLPasswordEngine">SQLPasswordEngine</a> <li><a href="#SQLPasswordSaltFile">SQLPasswordSaltFile</a> <li><a href="#SQLPasswordUserSalt">SQLPasswordUserSalt</a> </ul> <hr> <h2><a name="SQLPasswordEncoding">SQLPasswordEncoding</a></h2> <strong>Syntax:</strong> SQLPasswordEncoding <em>encoding</em><br> <strong>Default:</strong> <em>hex</em><br> <strong>Context:</strong> "server config", <code><VirtualHost></code>, <code><Global></code><em></em><br> <strong>Module:</strong> mod_sql_passwd<br> <strong>Compatibility:</strong> 1.3.3rc2 and later <p> The <code>SQLPasswordEncoding</code> directive configures the encoding that <code>mod_sql_passwd</code> expects when handling password values retrieved from a SQL database. <p> The following <em>encoding</em> values are currently supported: <ul> <li>base64 <li>hex (<i>for lowercase hex values</i>) <li>HEX (<i>for uppercase hex values</i>) </ul> <p> If no <code>SQLPasswordEncoding</code> directive is configured, <code>mod_sql_passwd</code> will use "hex" by default. <hr> <h2><a name="SQLPasswordEngine">SQLPasswordEngine</a></h2> <strong>Syntax:</strong> SQLPasswordEngine <em>on|off</em><br> <strong>Default:</strong> <em>off</em><br> <strong>Context:</strong> "server config", <code><VirtualHost></code>, <code><Global></code> <strong>Module:</strong> mod_sql_passwd<br> <strong>Compatibility:</strong> 1.3.3rc2 and later <p> The <code>SQLPasswordEngine</code> directive enables or disables the module's registered <code>SQLAuthType</code> handlers. <hr> <h2><a name="SQLPasswordSaltFile">SQLPasswordSaltFile</a></h2> <strong>Syntax:</strong> SQLPasswordSaltFile <em>path|"none" ["prepend"|"append"]</em><br> <strong>Default:</strong> <em>none</em><br> <strong>Context:</strong> "server config", <code><VirtualHost></code>, <code><Global></code> <strong>Module:</strong> mod_sql_passwd<br> <strong>Compatibility:</strong> 1.3.3rc2 and later <p> The <code>SQLPasswordSaltFile</code> directive configures a file which contains salt data. This salt will be added to the digest, along with the password sent by the client. Note that the salt will be used for all users. <p> Since many editors will automatically add a newline when writing a file, the <code>mod_sql_passwd</code> file will automatically trim the last newline in the salt data, if there is one. This means that if your salt <b>must</b> end in a newline character, then your <code>SQLPasswordSaltFile</code> must contain "<i>salt</i>\n\n". <p> When using salted passwords, some systems will <i>prepend</i> the salt as a prefix to the data, and others will <i>append</i> the salt as a suffix. The optional second parameter to <code>SQLPasswordSaltFile</code> controls how this module will use the salt: <pre> SQLPasswordSaltFile /path/to/salt prepend </pre> tells <code>mod_sql_passwd</code> to prepend the salt as a prefix, and: <pre> SQLPasswordSaltFile /path/to/salt append </pre> will cause the salt to be appended as a sufix. <b>Note</b> that the default behavior is to <i>append</i> the salt as a suffix. <p> If no <code>SQLPasswordSaltFile</code> is configured, then no salting is done. <hr> <h2><a name="SQLPasswordUserSalt">SQLPasswordUserSalt</a></h2> <strong>Syntax:</strong> SQLPasswordUserSalt <em>"name"|source ["prepend"|"append"]</em><br> <strong>Default:</strong> <em>none</em><br> <strong>Context:</strong> "server config", <code><VirtualHost></code>, <code><Global></code> <strong>Module:</strong> mod_sql_passwd<br> <strong>Compatibility:</strong> 1.3.3 and later <p> The <code>SQLPasswordUserSalt</code> directive configures a per-user salt that will be added to the digest, along with the password sent by the client. <p> If <em>"name"</em> is specified, then the per-user salt data will be the name of the user logging in. Alternatively, you can configure a <code>SQLNamedQuery</code> which returns a single column of a single row, containing a string to use as the salt data, <i>e.g.</i>: <pre> SQLNamedQuery get-user-salt SELECT "salt FROM user_salts WHERE user_name = '%{0}'" SQLPasswordUserSalt sql:/get-user-salt </pre> <p> When using salted passwords, some systems will <i>prepend</i> the salt as a prefix to the data, and others will <i>append</i> the salt as a suffix. The optional second parameter to <code>SQLPasswordUserSalt</code> controls how this module will use the salt: <pre> SQLPasswordUserSalt name prepend </pre> tells <code>mod_sql_passwd</code> to prepend the salt as a prefix, and: <pre> SQLPasswordUserSalt name append </pre> will cause the salt to be appended as a sufix. <b>Note</b> that the default behavior is to <i>append</i> the salt as a suffix. <hr> <h2><a name="Installation">Installation</a></h2> The <code>mod_sql_passwd</code> module is distributed with ProFTPD. Simply follow the normal steps for using third-party modules in proftpd. The <code>mod_sql_passwd</code> module requires OpenSSL support, so you <b>must</b> use the <code>--enable-openssl</code> configuration option. <b>NOTE</b>: it is <b>important</b> that <code>mod_sql_passwd</code> appear <i>after</i> <code>mod_sql</code> in your <code>--with-modules</code> configure option: <pre> ./configure --enable-openssl --with-modules=mod_sql:mod_sql_passwd ... </pre> To build <code>mod_sql_passwd</code> as a DSO module: <pre> ./configure --enable-dso --enable-openssl --with-shared=mod_sql_passwd </pre> Then follow the usual steps: <pre> make make install </pre> <p> For those with an existing ProFTPD installation, you can use the <code>prxs</code> tool to add <code>mod_sql_passwd</code>, as a DSO module, to your existing server: <pre> # prxs -c -i -d mod_sql_passwd.c </pre> <hr> <h2><a name="Usage">Usage</a></h2> <p> The following examples demonstrate how the <code>mod_sql_passwd</code> can be used. <p> To configure <code>mod_sql_passwd</code> to handle MD5 passwords that are base64-encoded, use: <pre> <IfModule mod_sql_passwd.c> SQLPasswordEngine on SQLPasswordEncoding base64 </IfModule> <IfModule mod_sql.c> ... # Now that mod_sql_passwd is used, we can configure "MD5" as an # SQLAuthType that mod_sql will handle. SQLAuthTypes MD5 </IfModule> </pre> <p> To have <code>mod_sql_passwd</code> to handle hex-encoded (<i>and</i> in lowercase) passwords, use: <pre> <IfModule mod_sql_passwd.c> SQLPasswordEngine on SQLPasswordEncoding hex </IfModule> </pre> <p> And if for some reason your database values are stored as hex values in uppercase, you would use: <pre> <IfModule mod_sql_passwd.c> SQLPasswordEngine on SQLPasswordEncoding HEX </IfModule> </pre> <p> To use salted passwords, write the salt to use into a file, and configure the <code>mod_sql_passwd<code> module to use it: <pre> <IfModule mod_sql_passwd.c> SQLPasswordEngine on SQLPasswordEncoding hex SQLPasswordSaltFile /path/to/salt </IfModule> </pre> <p> <hr><br> Author: <i>$Author: castaglia $</i><br> Last Updated: <i>$Date: 2010/02/01 19:30:13 $</i><br> <br><hr> <font size=2><b><i> © Copyright 2009-2010 TJ Saunders<br> All Rights Reserved<br> </i></b></font> <hr><br> </body> </html>