Where Does FileZilla Server Store User Credentials (Usernames & Passwords)?


2 views

FileZilla Server stores its user authentication data in an XML configuration file by default. The exact location depends on your installation:

<!-- Windows default location -->
C:\Program Files (x86)\FileZilla Server\FileZilla Server.xml

<!-- Linux default location (if installed via package manager) -->
/etc/filezilla-server/

Here's a sample structure showing how credentials are stored (passwords are hashed):

<Users>
  <User Name="ftpuser1">
    <Option Name="Pass">hashed_password_value</Option>
    <Option Name="Group">ftpgroup</Option>
    <Option Name="Bypass server userlimit">0</Option>
    <Permissions>
      <Permission Dir="C:\ftp\user1">
        <Option Name="FileRead">1</Option>
        <Option Name="FileWrite">1</Option>
        <Option Name="FileDelete">1</Option>
        <Option Name="FileAppend">1</Option>
      </Permission>
    </Permissions>
  </User>
</Users>

FileZilla Server uses SHA-512 with salt for password hashing. Here's how to verify a password programmatically in Python:

import hashlib
import base64

def verify_filezilla_password(password, stored_hash):
    # Extract salt and hash from stored value
    decoded = base64.b64decode(stored_hash)
    salt = decoded[:16]
    stored_digest = decoded[16:]
    
    # Hash the input password with the same salt
    sha512 = hashlib.sha512()
    sha512.update(salt + password.encode('utf-16le'))
    computed_digest = sha512.digest()
    
    return computed_digest == stored_digest

# Example usage
stored_value = "base64_encoded_salt_and_hash"
password = "test123"
print(verify_filezilla_password(password, stored_value))

For enterprise environments, you can configure FileZilla Server to use external authentication:

<!-- Example of SQL authentication configuration -->
<Option name="Authentication">
  <SQLite>
    <Database>user_credentials.db</Database>
    <UserTable>users</UserTable>
    <UserColumn>username</UserColumn>
    <PasswordColumn>password</PasswordColumn>
  </SQLite>
</Option>

When dealing with FileZilla Server credentials:

    <li>Restrict read access to the configuration file

    <li>Consider using Windows authentication integration instead of local accounts

    <li>Regularly audit user permissions

    <li>Implement proper file system permissions for the XML file

    </ul>

    To programmatically extract user data from the XML file (Python example):

    import xml.etree.ElementTree as ET

def extract_users(xml_file):
    tree = ET.parse(xml_file)
    root = tree.getroot()
    
    users = []
    for user in root.findall('Users/User'):
        user_data = {
            'name': user.get('Name'),
            'password_hash': user.find("Option[@Name='Pass']").text,
            'permissions': []
        }
        
        for perm in user.findall('Permissions/Permission'):
            user_data['permissions'].append({
                'directory': perm.get('Dir'),
                'rights': {opt.get('Name'): opt.text for opt in perm.findall('Option')}
            })
        
        users.append(user_data)
    return users

    FileZilla Server handles user authentication through its built-in user management system. The credentials are stored in an XML configuration file named FileZilla Server.xml, typically located in the server's installation directory.

    On Windows systems (the primary platform for FileZilla Server), you'll find the configuration file at:

    C:\Program Files (x86)\FileZilla Server\FileZilla Server.xml

    For Linux installations (though less common), the path would be:

    /etc/filezilla-server/FileZilla Server.xml

    The user credentials are stored in an encrypted format within the <Users> section. Here's a sample structure:

    <Users>
    <User Name="ftpuser">
        <Option Name="Pass">AES:ABCDEF1234567890ABCDEF1234567890</Option>
        <Option Name="Group">users</Option>
        <Permissions>
            <Permission Dir="C:\ftp\public">
                <Option Name="FileRead">1</Option>
                <Option Name="FileWrite">1</Option>
            </Permission>
        </Permissions>
    </User>
</Users>

    The passwords are encrypted using AES-128 encryption with a server-specific key. This key is stored in the same XML file within the <Settings> section:

    <Settings>
    <Option Name="AdminPassword">AES:1234567890ABCDEF1234567890ABCDEF</Option>
    <Option Name="PasswordSalt">RandomSaltValue</Option>
</Settings>

    Here's a Python script to parse the FileZilla Server configuration:

    import xml.etree.ElementTree as ET
import os

def get_filezilla_users(config_path):
    try:
        tree = ET.parse(config_path)
        root = tree.getroot()
        
        users = {}
        for user in root.findall('.//User'):
            username = user.get('Name')
            password = user.find(".//Option[@Name='Pass']").text
            users[username] = password
            
        return users
    except Exception as e:
        print(f"Error reading FileZilla config: {e}")
        return None

# Example usage
users = get_filezilla_users(r"C:\Program Files (x86)\FileZilla Server\FileZilla Server.xml")
print(users)

    For enhanced security, consider these alternatives to local credential storage:

    • Windows Active Directory integration
    • LDAP authentication
    • Database-backed authentication (MySQL, PostgreSQL)

    When moving or backing up FileZilla Server configurations, ensure you:

    1. Stop the FileZilla Server service
2. Copy the entire installation directory
3. Preserve file permissions
4. Test the restored configuration