dataprovider: remove clear text password checking
passwords must be stored using argon2id or bcrypt
This commit is contained in:
Nicola Murino
parent
0bcc97aef6
commit
9d342cb125
2 changed files with 1 additions and 4 deletions
|
|
@ -219,7 +219,7 @@ sftpgo serve
|
|||
For each account the following properties can be configured:
|
||||
|
||||
- `username`
|
||||
- `password` used for password authentication. For users created using SFTPGo REST API the password will be stored using argon2id hashing algo. SFTPGo supports checking passwords stored with bcrypt too. Currently, as fallback, there is a clear text password checking but you should not store passwords as clear text and this support could be removed at any time, so please don't depend on it.
|
||||
- `password` used for password authentication. For users created using SFTPGo REST API the password will be stored using argon2id hashing algo. SFTPGo supports checking passwords stored with bcrypt too.
|
||||
- `public_keys` array of public keys. At least one public key or the password is mandatory.
|
||||
- `home_dir` The user cannot upload or download files outside this directory. Must be an absolute path
|
||||
- `uid`, `gid`. If sftpgo runs as root system user then the created files and directories will be assigned to this system uid/gid. Ignored on windows and if sftpgo runs as non root user: in this case files and directories for all SFTP users will be owned by the system user that runs sftpgo.
|
||||
|
|
|
|||
|
|
@ -272,9 +272,6 @@ func checkUserAndPass(user User, password string) (User, error) {
|
|||
return user, err
|
||||
}
|
||||
match = true
|
||||
} else {
|
||||
// clear text password match
|
||||
match = (user.Password == password)
|
||||
}
|
||||
if !match {
|
||||
err = errors.New("Invalid credentials")
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue