Password encryption algorithm used for SFTP user account

[rashmimaharana]

Hi @drakkan and Team,

I would like to know the password encryption algorithm used for sftp user account. In DB, its getting saved as plain text.
Can you please point to the code snippet for same. And also would like to know in any case the algorithm can be changed based on configuration or code changes required.

Thanks,
Rashmi Maharana

[drakkan]

I'm not sure to understand your question, password are stored hashed and not as plain text, for example:

• $2a$10$ZBTSAMWmm5hCupNkKmj0ouJfJGA5v/8g.Awdqa5YOb/ed.8I.dQp.
• $argon2id$v=19$m=102400,t=2,p=8$c3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzc3Nzcw$FgOHZkTvcgIJqemDyJCLuQ

SFTPGo uses bcrypt by default, you can also configure argon2id, take a look at the password_hashing struct here

[rashmimaharana]

Thanks @drakkan for the info :)

[drakkan]

I'm curious to understand why you wrote

In DB, its getting saved as plain text

I just tryed to manually write a password as plain text in the database and, as expected, it does not work, SFTPGo expects hashed passwords and not plain text ones.

[rashmimaharana]

Sorry my mistake, its getting saved as hashed value, you are right , but was little confused by seeing users table column property given below.
I wrongly mentioned plain text. Thanks for clearing the doubt.

password text COLLATE pg_catalog."default"

[drakkan]

ah ok, text is only the database type, I was suspecting some subtle bug, thanks for clarifying