Hi Mr. Tobias,

We are having a similar problem.  It seems that when the galaxy code was 
updates, new created/updated passwords are using a different encryption mode.  
This new mode, PBKDF2 SHA256 is NOT supported by proftpd 1.3.4d that you see to 
be using. We had to compile proftpd from source since version 1.3.5rc3 does 
support this encryption. Now in the password 
PBKDF2$sha256$10000$8h/4HmD1Eu6NTc7F$Slb1H5a9YJvR6A3cUnZCUfh7tOWKfRuh I was 
able to deduce the following by reading the code from git hub "password.py".  
The encrypted password is acually Slb1H5a9YJvR6A3cUnZCUfh7tOWKfRuh where the 
salt is 8h/4HmD1Eu6NTc7F using PBKDF2 SHA256 with an illiteration value of 
10000.  The most importnat part is that the salt, is right there, from 
character 21 to 36. With the newly compiled proftpd, I have the following 
configuration at proftpd.conf:

# This is a basic ProFTPD configuration file (rename it to 
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName                      "Genomics01 ProFTPd"
ServerType                      standalone
DefaultServer                   on
DeferWelcome                    off
UseIPv6                         on
IdentLookups                    off
MultilineRFC2228                on
ShowSymlinks                    on


LoadModule                      mod_sql.c
LoadModule                      mod_sql_postgres.c
LoadModule                      mod_sql_passwd.c

<IfModule mod_sql.c>
SQLBackend                      postgres
SQLEngine                       on
SQLAuthenticate                 users
SQLAuthTypes                    SHA1 SHA256 pbkdf2
SQLPasswordPBKDF2               SHA256 1000 24
#SQLPasswordSaltFile            /path/to/file
SQLConnectInfo                  galaxydb@localhost:5432 ftpuser mypassword
SQLUserInfo                     custom:/LookupGalaxyUser
SQLNamedQuery                   LookupGalaxyUser SELECT 
 FROM galaxy_user WHERE email='%U'"

SQLPasswordUserSalt             sql:/GetUserSalt

SQLNamedQuery                   LookupGalaxyUser  SELECT "email, (CASE WHEN 
substring(password from 1 for 6) = 'PBDKF2' THEN substring(password from 38 for 
69) ELSE password END) AS 
 FROM galaxy_user WHERE email='%U'"

SQLNamedQuery                   GetUserSalt SELECT "(CASE WHEN SUBSTRING 
(password from 1 for 6) = 'PBDKF2' THEN SUBSTRING (password from 21 for 36) 
END) AS salt FROM galaxy_user WHERE email='%U'"


SQLDefaultGID                   1002
SQLDefaultUID                   1002

TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     1200

DisplayLogin                    welcome.msg
DisplayChdir                    .message true
ListOptions                     "-l"

DenyFilter                      \*.*/

# Use this to jail all users in their homes
DefaultRoot                     ~
CreateHome                      on dirmode 700
AllowOverwrite                  on
AllowStoreRestart               on
SQLPasswordEngine               on
SQLPasswordEncoding             hex
PassivePorts                  30000 40000

# Port 21 is the standard FTP port.
Port                            21

# Don't use IPv6 support by default.
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           077

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances                    30

# Set the user and group under which the server will run.
User                            galaxy
Group                           galaxy

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite          on

#AuthOrder                       mod_sql.c

# Bar use of SITE CHMOD by default
#  DenyAll
Include /etc/proftpd/conf.d/

With the configuration above, I can still connect to users that have SHA1 
passwords, but I think I need a little more tweeking to get it to work with the 
new passwords.

--Ricardo Perez
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

To search Galaxy mailing lists use the unified search at:

Reply via email to