From 7dd03ee24ef781a49c24930fe759602b53da62a9 Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Mon, 29 Jul 2019 09:20:33 +0200 Subject: [PATCH] document bcrypt support --- README.md | 2 +- dataprovider/sqlcommon.go | 9 +++------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 451f1f12..bbe8fecc 100644 --- a/README.md +++ b/README.md @@ -137,7 +137,7 @@ Here is a full example showing the default config: For each account the following properties can be configured: - `username` -- `password` used for password authentication. The password will be stored using argon2id hashing algo +- `password` used for password authentication. For users created using SFTPGo REST API the password will be stored using argon2id hashing algo. SFTPGo supports checking passwords stored with bcrypt too. Currently, as fallback, there is a clear text password checking but you should not store passwords as clear text and this support could be removed at any time, so please don't depend on it. - `public_key` used for public key authentication. At least one between password and public key is mandatory - `home_dir` The user cannot upload or download files outside this directory. Must be an absolute path - `uid`, `gid`. If sftpgo runs as root then the created files and directories will be assigned to this system uid/gid. Ignored on windows and if sftpgo runs as non root user: in this case files and directories for all SFTP users will be owned by the system user that runs sftpgo. diff --git a/dataprovider/sqlcommon.go b/dataprovider/sqlcommon.go index b99c9a16..93fd08da 100644 --- a/dataprovider/sqlcommon.go +++ b/dataprovider/sqlcommon.go @@ -46,15 +46,12 @@ func sqlCommonValidateUserAndPass(username string, password string) (User, error logger.Warn(logSender, "error comparing password with argon hash: %v", err) return user, err } - - } else if strings.HasPrefix(user.Password, bcryptPwdPrefix){ - err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)) - if err != nil { + } else if strings.HasPrefix(user.Password, bcryptPwdPrefix) { + if err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)); err != nil { logger.Warn(logSender, "error comparing password with bcrypt hash: %v", err) return user, err - }else{ - match = true } + match = true } else { // clear text password match match = (user.Password == password)