cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 10

Users and Groups Randomly Disabled - Bug related to password encryption method

We have had a very strange issues related to the most recent Serv-U update in June (15.2.1.446) which started yesterday 26th September out of nowhere, no changes were made..

See this thread for the details relating to the password encryption method change in the update from 15.2.1.446, we've had this update in place for months with no issues but now...

Accounts using Public Key authentication to connect to Serv-U suddently were not able to connect AND their accounts were becoming disabled. Users do not have automatic disabling set on their account, Serv-U is doing this all by itself.

After lots of testing, it appears that when an account has been connecting using a key, Serv-U still has the old password format/encryption method associated with that user's account (in the user's Archive file), even though they are not using a password to connect. Something in the Serv-U code seems to have enforced that accounts with this get DISABLED when they try to connect, even with a key (specifically on 26th September). The administrator when has to manually reactivate the account but as soon as they try to login again, it gets disabled. We also saw one instance where the GROUP that the user belonged to also go disabled, which disables all other users in that group.

The only way to fix this is to set a new password on the account but I have hundreds of accounts this could have happened to and it is near impossible to work out which accounts are affected.

Please can you let us know if there is something in Serv-U for this specific date and how we can fix this issue, is there a patch?

@ivodlouhy @bshopp @peter.kruty 

Thank you for your help.

@chrisrowYou may get this issue too based on our previous discussions on the other thread linked above.

0 Kudos
4 Replies
Level 8

I can confirm that such a problem exist.

We see many disabled accounts on our system, though we do not use a key based authentication for most of these accounts.

Affected are mostly accounts with a well known username (like "admin" or "administrator") so I assume that these get locked/disabled due to random login attempts from bots.

 

Resetting the password on these accounts does seem to help prevent that problem from happening again.

0 Kudos

Serv-U 15.2.1 provides increased password security, existing MD5 passwords are converted using more secure algorithm.
MD5 passwords can be automatically changed in the first 90 days (during connection using password); after this period they are set to expired, and expired passwords can only be changed by an administrator. I can reach you to discuss this change and how to mitigate the impact.

0 Kudos

Thanks for this info, it is under investigation now. I will give an update soon.

0 Kudos

Is there any update on this issue ? I'm seeing the same behavior in our Serv-U SFTP server.

0 Kudos