FTP Passwords lost after system update

Off-topic: Please avoid using Ubuntu 19.04 as it has a short life span of only 9 months. Please use LTS releases instead, as they have 5-year life cycle and are mostly bug-free.

Short term releases get very less priority in terms of bug fixes, except for security issues.

Ref: https://wiki.ubuntu.com/DiscoDingo/ReleaseNotes

Hi @geschke

So I entered the password again in the BackWPup job target tab and started the job. This was successful, so the main problem was solved. But I would like to understand the reason.

It because of you entered a wrong password to BackWPUp job setting, so after entering the correct one, it works ??

I personally agree with you notice about Ubuntu 19.04, on the server environment, better use LTS version of Ubuntu ??

Hi @duongcuong96 !

No, the password was correct. Maybe I had to explain it better: The system was an Ubuntu 18.10 version, it ran successfully since several months – WordPress, the plugins and everything, especially BackWPup. I didn’t change the password in the BackWPup jobs (there were two jobs with two different FTP targets). The passwords were saved in the BackWPup configuration, and with the same passwords the login was successful in the last few months. But after the update they didn’t work anymore.

After entering the same passwords again, the logins were successful again. So I guess that password storage in BackWPup is dependent on the underlying system, some libraries or something else? Maybe because of encrypting the passwords?

@pothi Thanks for your remark, but I know the release cycle of LTS and normal versions, so please let me use the version I prefer. I have optimized the update process, it’s a one-liner with the help of Docker, and I like to use the latest libraries. It isn’t an enterprise deployment, so back to topic. ??

Got your point. Thanks for the details. Just now, I noticed that you have a strong devops background. No wonder you know what you are doing. ?? I’d appreciate if you share more info on your environment after this topic is resolved.

I also would like to know (from the plugin author) on why the passwords became void after the change in underlying environment. This seems to be an interesting issue.

@pothi Thank you for your nice comment! ?? And although this is off-topic, I’ve written an some articles about my installation (sorry, German only, maybe Google translate can help): https://www.kuerbis.org/2018/04/howto-wordpress-im-docker-swarm-mode-mit-nginx-proxy-auf-einem-host/

In the last section the update is described – the command is:
docker service update –image <name_of_new_image> <service_name>, e.g.
docker service update –image geschke/php-fpm-swrm geschkename_phpbackend_geschkename

If you have questions, don’t hesitate to drop me a mail or use the feedback formular on my website.

Kind regards,
Ralf

Thank you. A lot of digest. I will go through one by one. Appreciate all the info provided here and in the blog. I will contact you via email or contact form if I have any further questions.

Thanks again,
Pothi.

I think I found the reason. In the class BackWPup_Encryption_OpenSSL BackWPup tries to detect cipher methods of OpenSSL (method cipher_method() ) . This is later used to encrypt and decrypt all kinds of passwords in BackWPup. I tested the previous version (Ubuntu 18.04 image) vs. current version (Ubuntu 19.04 image). The Dockerfile to generate the image did not change, I’ve just set a new base image (FROM ubuntu:disco instead of ubuntu:bionic).

Here is the output of some tests of the 18.04 version:

root@dc48b862fbd2:/phptest# php -v
PHP 7.2.10-0ubuntu0.18.04.1 (cli) (built: Sep 13 2018 13:45:02) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.10-0ubuntu0.18.04.1, Copyright (c) 1999-2018, by Zend Technologies

root@dc48b862fbd2:/phptest# php -i | grep -i openssl
SSL Version => OpenSSL/1.1.0g
openssl
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 1.1.0g 2 Nov 2017
OpenSSL Header Version => OpenSSL 1.1.0g 2 Nov 2017
Openssl default config => /usr/lib/ssl/openssl.cnf
openssl.cafile => no value => no value
openssl.capath => no value => no value
Native OpenSSL support => enabled

So OpenSSL is enabled and should work.

Then I extracted the code fragment of cipher_method():

At first, a list of all cipher methods is created by openssl_get_cipher_methods(). After that, BackWPup tries to match one of three “preferred methods”:

$preferred = array( 'AES-256-CTR', 'AES-128-CTR', 'AES-192-CTR' );

If one of these methods, i.e. strings is found in the list, it will be returned and stored as class property.

With the above version the first found method is AES-256-CTR.

Now the results of the newer Ubuntu 19.04 image:

root@d894c15e6329:/phptest# php -v
PHP 7.2.17-0ubuntu0.19.04.1 (cli) (built: Apr 18 2019 18:01:25) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
with Zend OPcache v7.2.17-0ubuntu0.19.04.1, Copyright (c) 1999-2018, by Zend Technologies

root@d894c15e6329:/phptest# php -i | grep -i openssl
SSL Version => OpenSSL/1.1.1b
libSSH Version => libssh/0.8.6/openssl/zlib
openssl
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 1.1.1b 26 Feb 2019
OpenSSL Header Version => OpenSSL 1.1.1b 26 Feb 2019
Openssl default config => /usr/lib/ssl/openssl.cnf
openssl.cafile => no value => no value
openssl.capath => no value => no value
Native OpenSSL support => enabled

OpenSSL is enabled again, the versions are updated, This seems ok again.

But when I run the test with this version, nothing is returned! None of the “preferred methods” is found.
In this case BackWPup uses the first cipher method found in the list – in my case it is “aes-128-cbc“.

So decrypting a password which was encrypted with a different cipher must go wrong.

The reason is that the upperclass versions of cipher names are missing. This is a known issue (or bug?) with OpenSSL 1.1.1, see https://www.php.net/manual/de/function.openssl-get-cipher-methods.php, first comment, and more on https://github.com/oerdnj/deb.sury.org/issues/990 and the referenced issues.

Maybe this helps if somebody runs into similar problems after updating OpenSSL.

Kind regards,
Ralf

That was some deep troubleshooting. Thanks for sharing all the info.

@geschke Thank you very much for the detailed report.
I already created an issue to our devs, will back to you all when I have something new.