In Fedora 15, the deprecated functions make_scrambled_password and make_scrambled_password_323 functions were removed from the mysql libraries to avoid namespace pollution. Their preferred replacements are the largely undocumented my_make_scrambled_password and my_make_scrambled_password_323. However, only my_make_scrambled_password is actually exported from the library (needed by pure-ftpd - Bug #690346); the my_make_scrambled_password_323 function remains hidden. Unfortunately, proftpd needs both of these functions (https://bugzilla.redhat.com/show_bug.cgi?id=718327#c8). Can my_make_scrambled_password_323 please be added to the exports list too?
Maybe this function can help http://fedora13.selfip.org/lcov/5.1/libmysql/password.c.gcov.html line: 108
The library includes the required function; it just doesn't export it.
I'm not thrilled with exporting such a legacy function --- 3.23-style passwords have been obsolete since mysql 4.1 came out, which was a long time ago. Does proftpd really need to support such things still? pure-ftpd evidently isn't bothering. Keep in mind that Oracle could cause any of these undocumented functions to disappear without notice, cf bug #736748. I've pestered them to clarify the support status of my_make_scrambled_password, in http://bugs.mysql.com/bug.php?id=62394 --- but my_make_scrambled_password_323 isn't even in the discussion there. If you really want to keep on using my_make_scrambled_password_323, I think you'd be well advised to try to get them to make it officially supported.
In proftpd it seems to be a hack for people with password hashes generated a long time ago. The code basically checks a hash using make_scrambled_password and if it's not the same as the expected hash, it checks again using make_scrambled_password_323. A comment along with this second check says "Try to work around MySQL's stupid handling of password length changes in 4.1, and the stupidity and whining of admins who cannot deal with those changes", and it logs a message "checking again using deprecated legacy MySQL password algorithm". So I guess I could just remove that second check altogether and thus remove the need for that function, at the risk of attracting some whining...
Hello, how I can save passwords in hashes?
(In reply to comment #5) > Hello, how I can save passwords in hashes? Passwords stored in databases are usually hashes, not the password itself, for security reasons. So to check a password, you (i.e. the application using the database) generate a hash using the same algorithm from the password a user has supplied and compare it with the stored hash in the database. If the hashes match, the supplied password is the same as the one used to generate the hash in the database. Prior to MySQL version 4.1, a different hash algorithm was used, so any stored passwords saved using an old version of MySQL wouldn't match when checked using a current version of the algorithm. The make_scrambled_password_323 function could be used in such cases to check passwords using the old algorithm, but that option is no longer available now.
proftpd has made a change upstream to check for the make_scrambled_password_323 function and not attempt to use it unless it's available. This appears to have resolved Bug 718327 so I no longer need this.