using Rebex.Net;
// News, tips & tricks from Rebex developers

Rebex Buru SFTP Server 2.19.0: Argon2 password hashing

  |   Lukas Paluzga
Buru SFTP Server New releases
Download Buru SFTP Server

We have released Rebex Buru SFTP Server v2.19.0. Here is an overview of changes, fixes and improvements.

A big thank you to everyone who took the time to fill out our user survey! Most of the improvements in this release were directly shaped by your feedback. It really makes a difference, and we genuinely appreciate it. If you haven't had a chance to share your thoughts yet, we'd love to hear from you: fill out the survey here. It only takes a few minutes and helps us prioritize what matters most to you.

Argon2 password hashing (2.19.0)

Passwords stored in Buru SFTP Server's user database can now be hashed using Argon2, a memory-hard algorithm that is significantly more resistant to brute-force and GPU-accelerated cracking attacks than SHA-2. Argon2 comes in three variants: argon2d (optimized against GPU attacks), argon2i (optimized against side-channel attacks), and argon2id (a hybrid recommended for most use cases).

Unlike SHA-2, which is designed to be fast, Argon2 is intentionally expensive to compute. It requires much larger amount of RAM and CPU time, making cracking attacks far more costly. All parameters (parallelism, memory cost, time cost) are configurable.

Note that password hashing does not affect the security of the login process itself. Its purpose is to protect users' passwords in the event of a user database leak. When using Argon2 with recommended values, recovering the original passwords from a stolen database is extremely costly.

To enable Argon2, set users.passwordHashAlgorithm in your configuration:

users:
  passwordHashAlgorithm: { type: argon2id }

The passwordHashAlgorithm setting also continues to accept a plain string value (e.g. SHA512) for simpler configurations.

Setting pre-hashed passwords for existing users

The --password-hash option, previously available only in burusftp user add, has been added to burusftp user update as well. This makes it possible to assign a pre-hashed password to an existing user from the command line, which is useful when migrating password hashes from another system.

Minor changes and fixes

  • SSH
    • Fixed diffie-hellman-group17-sha512 and diffie-hellman-group18-sha512 being advertised but not usable as key exchange algorithms. (2.18.4)
    • Fixed terminal shell execution when running as a different user incorrectly requiring SeTcbPrivilege instead of SeAssignPrimaryTokenPrivilege and SeIncreaseQuotaPrivilege. (2.18.4)
  • Web Admin
    • Added "Add new user" button to the users toolbar. (2.19.0)
    • Added Save button to breadcrumb navigation on select pages. (2.19.0)
    • Fixed breadcrumb display on Protection and FTP settings pages. (2.19.0)
    • Fixed placeholder text showing incorrect hour values for idle duration and session duration fields. (2.18.4)

For a complete list of fixes and improvements, see the Release notes.

You can report issues and submit feature requests on our Github issue tracker.

For discussions and specific problems, please continue using our support forum.