Provide online password modification for serv-u

Source: Internet
Author: User
Tags empty ftp hash ini key tostring trim knowledge base
serv-u| Online

Due to the needs of daily work, the unit used serv-u set up an FTP server, but since the takeover has found a very serious problem, the FTP server is open to outsiders, incredibly many users do not have a password. If all people are forced to set passwords and must be installed on the server, wouldn't it be necessary for everyone to tell their password to the administrator, after all, many people are accustomed to using the same password. What do we do? The best way to do this is to provide a Web page that provides the ability to modify the password.

Said dry on the Internet, checked, there is a way to use the serv-u itself provided by the ODBC function, using a database to store passwords, through the database directly to implement the operation of the password modification function, but after examination this method is not very feasible. Because this FTP server has been running for a year, there are nearly 60 users, to the user from the INI file to migrate to the database error probability is relatively high, but also directly to the INI file operation come simply.

The first is to figure out how the Serv-u user information is saved in the INI file, and how the password is encrypted. INI file structure is relatively simple, modify the password if you find in the [user= @UserID |1] section, and modify the value of the password key below it. @userid refers to the user's login ID.
1[global]
2version=6.1.0.5
3packettimeout=300
4
5
6
7[domain1]
8user1=
9user2=
10user3=
11
12
13
14[USER=ABC|1]
15password=nie383dc3710266ecae04a6b3a18a2966d
16homedir=d:\
17alwaysallowlogin=1
18changepassword=1
19timeout=600
20note1= "Wizard generated account"
21access1=d:\
22
23

User password encryption method can be found in the Ser-u official website of the Knowledge Base

  Http://rhinosoft.com/KBArticle.asp?RefNo=1177&prod=su
Manually entering Encrypted passwords into the Servudaemon.ini File
To generate a encrypted password, two random characters (the ' salt '-in the range A. Z, A.. Z) are added to the beginning of the Clear-text password. This is then hashed using MD5 and the resulting hash is hex-encoded. The result was written as Plain-text starting with the 2 salt characters followed by the hex-encoded hash.

For a user account in the. ini file, this'll look like:

Password=cb644fb1f31184f8d3d169b54b3d46ab1a

The salt is the string "CB" and the MD5 hash is "644FB1F31184F8D3D169B54B3D46AB1A".

When verifying a user ' s password, serv-u'll do the same. It parses the salt from the user ' s stored password (ie. ' CB ' in the ' case ', prepends it the password the user sent to it by the client, MD5 hashes it, and compares the result wit h the stored hash. If The values are equal, then the entered password is correct.

The encryption method is to randomly generate two letters, and then the letter and password splicing, and then ask them MD5 value, and finally put the random letters in the MD5 value before the password is encrypted.

Next can be based on the above analysis to write programs to achieve online modification.

1/**////<summary>
2///Gets the MD5 value of the specified string
3///</summary>
4///<param name= "Strcontent" ></param>
5///<returns></returns>
6 public string MD5 (string strcontent)
7 {
8 System.Security.Cryptography.MD5 MD5 = new System.Security.Cryptography.MD5CryptoServiceProvider ();
9 byte[] bytes = System.Text.Encoding.UTF8.GetBytes (strcontent);
bytes = Md5.computehash (bytes);
One by one MD5. Clear ();
A string ret = "";
for (int i=0; i<bytes. Length; i++)
14 {
ret = convert.tostring (bytes[i],16). PadLeft (2, ' 0 ');
16}
return ret. PadLeft (32, ' 0 '). ToUpper ();
18}
19
20
/**////<summary>
22///Generate random string, string length is 2
///</summary>
///<returns></returns>
The public string getrandomstring ()
26 {
String strreturn = "";
Random ran = new Random ();
Strreturn + + Convert.tochar (ran. Next + ' a '). ToString ();
Strreturn + + Convert.tochar (ran. Next + ' a '). ToString ();
return strreturn;
32}
33
34//The encrypted password is generated by the specified random letter and login password
public string Createcrypassword (string strfrontchars, String strpassword)
36 {
Notoginseng return strfrontchars + MD5 (strfrontchars + strpassword). ToUpper (). Trim ();
38}
39
/**////<summary>
41///"Modify password" Click event in this event to modify the password
///</summary>
///<param name= "Sender" ></param>
///<param name= "E" ></param>
The private void Btnmodifypwd_click (object sender, System.EventArgs e)
46 {
string strUserID = Txtloginid.text;
if (strUserID = = String.Empty)
49 {
controlmessage.innerhtml = "User name cannot be empty";
I return;
52}
53
54//Judge two times password input is the same
if (Txtnewpassword.text!= txtconfirmpassword.text)
56 {
controlmessage.innerhtml = "Two input passwords are inconsistent, please re-enter";
The return;
59}
60
IniFile ini = new IniFile (_strservudaemonpath);
The string strsectionvalue = "user=" + struserid.trim () + "|1";
63
64//By reading the homedir of the specified user to determine whether the user is present
An if (INI). ReadString (Strsectionvalue, "Homedir", "") = = "")
66 {
controlmessage.innerhtml = "The specified user does not exist";
return;
69}
70
71//start to determine if the password is correct
A string strpassword = ini. ReadString (Strsectionvalue, "Password", "");
73
Strpasswordfronttwochars string;
BOOL Bpasswordright = false;
The IF (Strpassword.length > 2)
77 {
78//Read the random letters contained in the password
Strpasswordfronttwochars = strpassword.substring (0, 2);
if (Createcrypassword (strpasswordfronttwochars, txtoldpassword.text) = = strpassword)
81 {//Password compliant
Bpasswordright = true;
83}
Or else
85 {//password does not match
Bpasswordright = false;
87}
88}
if (strpassword = = Txtoldpassword.text)//The original password is empty
90 {
Bpasswordright = true;
92}
Or else
94 {
Bpasswordright = false;
96}
97
The IF (bpasswordright)
99 {
100//password is correct, write a new password, and set the new settings automatically to load, so that the next change is still valid
An INI. WriteString (Strsectionvalue, "Password", Createcrypassword (Getrandomstring (), txtnewpassword.text));
102 controlmessage.innerhtml = "Complete password modification";
103}
Or else
105 {
controlmessage.innerhtml = "Original password error";
107}
108
109}

The _strservudaemonpath variable in the above code is used to save the path to the Servudaemon.ini file, which can be obtained through Web.config settings in the Pageload event.

But this is not the end of the story. After testing, it is found that there is a serious problem: After the password is changed, only restart Serv-u to make the modified password effective. That is not equal to no use, the administrator can not be nothing old there restart the server to make password changes take effect.

Back to Serv-u's official knowledge Base, the following article was found:

Manually updating the Servudaemon.ini File
Whenever changes are made directly to the Servudaemon.ini file, add the following line under the Global area in the ini fi Le.

Reloadsettings=true

Serv-u regularly checks the INI file for this setting. If It is present, serv-u'll refresh all stored settings for every domain on the server. This allows serv-u to recognize the changes without have to be restarted.

After serv-u loads the changes, it removes the "reloadsettings=true" entry. This is allows to enter the it again next time any changes are made.

That is, whenever you add a key reloadsettings to the INI file's global section and set its value to True, you can automatically update the password after you modify it. So just modify the original code, insert the following code between lines 101 and 102:

Ini. WriteString ("GLOBAL", "reloadsettings", "True");

Here, a Web page that modifies the serv-u password is complete.

The Inifile in the program is a class that encapsulates the API's operations on the INI file, and only needs to be read and written to the string.



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.