Traditionally, when the client logs in, it sends the credentials (username+pw) without any further processing. The server then checks if an entry exists in its user database that matches the supplied credentials.
To render password recovery harder in case of database breach, the password is stored in its hashed form. This means that either the client or the server hashes the password and then the credentials are checked for a match.
However, if the client does the hashing, it effectively becomes useless. Why ? Because the hashed password is now used as the password. One could steal the database, read the hash and send that along with the username and still get an access.
This is why the hashing must be done on the server, so that without prior knowledge of the password it is impossible to log in.
However, I cannot find any way to achieve this with a PAM module so that vsftpd will use it for logins. Note that I do not want to use a normal hash function as these are not suitable for password. I need to use a KDF such as scrypt or bcrypt.
Do I have to code my own PAM module or do I have to generate htpasswd hashes on demand ?
How to perform user authentication with serverside password hash for vsftpd ?