Go Back   FlashFXP Forums > > > >

! Requests Need a script or some sort of cool .bat file ? Ask here!

Reply
 
Thread Tools Rate Thread Display Modes
Old 09-19-2005, 11:51 AM   #1
freak007
Member
ioFTPD Foundation User
 
Join Date: Jun 2003
Posts: 69
Talking Crypting UserIdTable

I wanted to ask if it is possible to crypt the UserIdTable file so nobody can see which users are added to the ftp except they have axx to the ftp and to the site users command.

Thanks for any answer to my question.

Best regards

freak007
freak007 is offline   Reply With Quote
Old 09-19-2005, 12:02 PM   #2
tuff
Senior Member
FlashFXP Registered User
ioFTPD Scripter
 
Join Date: Jan 2003
Posts: 277
Default

sure, if you create a crypted partition, or a crypted container and run ioftpd from there
__________________
#iotools #ioftpd (both on efnet)
tuff is offline   Reply With Quote
Old 09-19-2005, 12:13 PM   #3
freak007
Member
ioFTPD Foundation User
 
Join Date: Jun 2003
Posts: 69
Default

no possibility of a script or something ?
freak007 is offline   Reply With Quote
Old 09-19-2005, 01:32 PM   #4
Harm
Too much time...
Ultimate Scripter
 
Join Date: Jul 2003
Posts: 1,430
Default

Why would you need a script to do something that's built into your operating system ? Encrypt the file within windows and make sure that the account used to run ioFTPD can read it.
Harm is offline   Reply With Quote
Old 09-19-2005, 10:02 PM   #5
_panic_
Senior Member
Ultimate Scripter
 
Join Date: Jul 2005
Posts: 153
Default

Quote:
Originally Posted by freak007
no possibility of a script or something ?
there aren't currently any scripting hooks in ioFTPD to crypt the user table. in theory, one could write a UserModule (see the [Modules] section of ioftpd.ini for a commented out reference to the mythical networkuser.dll file.), but a quick search of the forums doesn't turn up much about how to actually do this.

can someone point me to a script that requires a custom .dll module? or does everything use the internal event handler?
_panic_ is offline   Reply With Quote
Old 09-20-2005, 12:20 AM   #6
neoxed
Too much time...
FlashFXP Beta Tester
ioFTPD Scripter
 
Join Date: May 2003
Posts: 1,326
Default

The module system was never really documented, just a few dated (mostly vague) threads. Even if one managed to write a module, encrypting the UserIdTable would end up being more of a nuisance in the long run.

For example, if the user names were encrypted with symmetric cipher you would need an encryption key. This introduces new problems, where will the key be stored? If the key is defined in the ioFTPD.ini, all the intruder has to do is grab the key along with the UserIdTable to decrypt it. Alternatively, you could have ioFTPD prompt you for the key on start-up, but this destroys the purpose of a daemon (a background task that does not require user interaction).

Now, if one took the time to develop a realistic threat model, encrypting user names would be the least of your worries. Think about all the other points of entry and threats (e.g. uneducated and untrustworthy users).

In my opinion, Harm's idea (using NTFS’s encryption and ACL functionality) is probably sufficient.
neoxed is offline   Reply With Quote
Old 09-20-2005, 03:17 AM   #7
JoC
Member
FlashFXP Registered User
ioFTPD Foundation User
 
Join Date: Feb 2004
Posts: 76
Default

Quote:
Originally Posted by _panic_
can someone point me to a script that requires a custom .dll module? or does everything use the internal event handler?
I think the old ioShareDB used a custom dll but it isnt uploaded on the new site.
http://www.inicom.net/forum/showthre...ghlight=shared
JoC is offline   Reply With Quote
Old 09-20-2005, 01:34 PM   #8
_panic_
Senior Member
Ultimate Scripter
 
Join Date: Jul 2005
Posts: 153
Default

Quote:
Originally Posted by neoxed
In my opinion, Harm's idea (using NTFS’s encryption and ACL functionality) is probably sufficient.
your point about encrypting the on-disk userfile as being a nuisance (or just futile) are true. i made the mistake of ignoring the advice "just because you can, doesn't mean you should." which does apply in this case.

in fact, you don't even need to attack the encryption itself, as you could use a debugger to watch the calls between ioftpd and the UserModule, which would give you complete access to the information as soon as ioftpd initialized.

regardless, i think the ability to write a UserModule hook, regardless of the utility for this particular case, is good information to have. the example on this thread of ioShareDB being a perfect example of something that would never be in core ioftpd but could still be useful nonetheless.
_panic_ is offline   Reply With Quote
Reply

Tags
command, ftp, site, useridtable, users

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 02:27 PM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)