Re: [galaxy-dev] proftpd sftp setup doesn't work

Tiago Macedo Wed, 22 Mar 2017 11:08:24 -0700

You don't really need to specify the tls version.

The error when loading the modules is likely due to the way you compiledproftpd. I double checked your first message and you have the modulescompiled, so your setup should be fine without those lines.

As I mentioned before, you need to change the AuthOrder line, at leastthe mod_auth_unix.c part. This tells proftpd to authenticate the sftpuser against the system users first, not against the galaxy db as you want.


Either change the order to:
AuthOrder mod_sql.c mod_auth_unix.c

Or if you never want to authenticate system users leave it only as:
AuthOrder mod_sql.c

On my system, fully removing AuthOrder also works.

Otherwise your config file looks fine to me.

Tiago





On 22-03-2017 16:36, Rui Wang wrote:

Hi Tiago,

Thanks so much for your suggestions! Please see inline.

On Wed, Mar 22, 2017 at 9:08 AM, Tiago Macedo<[email protected] <mailto:[email protected]>> wrote:


    Hi Rui,

    Are you trying to set up proftpd (with sftp) to use galaxy user
    credentials read from a postgresql database? Do you have the
    postgresql part working on regular ftp?

Yes, that's what I'm trying to achieve. And yes, it works with regularftp.



    1- The proftpd version on ubuntu 16.04's repository works fine,
    you don't need to compile it yourself (unless you really want/have
    to). An apt install proftpd-basic proftpd-mod-pgsql would do it.

    2- The user and group under which proftpd runs are defined in
    proftpd.conf. You didn't show that part of your file, but it's
    these two lines:
    User   proftpd
    Group   nogroup

    3- I see you're missing:
    #Before the <IfModule mod_sftp.c>
    LoadModule      mod_sql_postgres.c
    LoadModule      mod_sql_passwd.c


When I tried to add these two lines, it always says:

fatal: unknown configuration directive 'LoadModule'

Is there anything I'm missing?


    AuthPAM   off

    #Within the <IfModule mod_sftp.c>
    TLSProtocol TLSv1


Do we really have to specify TLS, or we don't need that?

Cheers,
Rui


    I suppose you can specify tls 1.1 or 1.2 here, but never really
    tried it.

    In my setup I also commented out the AuthOrder line.

    I guess these changes should do it.


    Best,
    Tiago







    On 22-03-2017 08:29, Rui Wang wrote:

    Hi Folks,

    I'm trying to set up the ftp for the local galaxy instance. I got
    the regular ftp working, but not the sftp. After a few hours
    attempts, I'm wondering what I'm missing. Here is the related info:

    1. Configure the build

    install_user=bioinfoadmin install_group=bioinfoadmin ./configure
    --prefix=/media/libraryfiles/proftpd --enable-openssl
    --with-modules=mod_sql:mod_sql_postgres:mod_sql_passwd
    --with-modules=mod_sftp:mod_tls
    make
    make install

    2. Start the server

    sudo sbin/proftpd --config
    /media/libraryfiles/proftpd/etc/proftpd.conf -n -d 10

    I notice that even though I start it using sudo, the real user
    that is running proftpd is 'nobody'.

    3. Config file snippet, I inserted the following piece to the
    original config file, Add 'VirtualHost' or no doesn't change
    anything in result

    <IfModule mod_sftp.c>

            SFTPEngine on
            Port 2222
            SFTPLog /var/log/proftpd/sftp.log
            AuthOrder mod_auth_unix.c mod_sql.c

            # Configure both the RSA and DSA host keys, using the
    same host key
            # files that OpenSSH uses.
            SFTPHostKey /etc/ssh/ssh_host_rsa_key
            SFTPHostKey /etc/ssh/ssh_host_dsa_key

            #SFTPAuthMethods publickey
            SFTPAuthMethods password

            # Enable compression
            SFTPCompression delayed

    </IfModule>

    Now when I start the server, and then when I try to test the
    login, I got this:

    $ sftp -P 2222 localhost
    packet_write_wait: Connection to 127.0.0.1 port 2222: Broken pipe
    Couldn't read packet: Connection reset by peer

    Accordingly, I got the following segfault in log:

    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65:
    ROOT PRIVS at main.c:1227
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65:
    RELINQUISH PRIVS at main.c:1231
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65: no
    matching vhost found for 127.0.0.1#2222, using 'ProFTPD Default
    Installation' listening on wildcard address
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): ROOT PRIVS at main.c:1034
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): SETUP PRIVS at main.c:1039
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): session requested from client in unknown
    class
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): performing module session initializations
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): mod_cap/1.1: adding CAP_SETUID and
    CAP_SETGID capabilities
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): ROOT PRIVS at mod_sftp.c:1674
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): RELINQUISH PRIVS at mod_sftp.c:1677
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): ROOT PRIVS at keys.c:2001
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): RELINQUISH PRIVS at keys.c:2008
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): ROOT PRIVS at keys.c:703
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): RELINQUISH PRIVS at keys.c:710
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): ROOT PRIVS at keys.c:703
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): RELINQUISH PRIVS at keys.c:710
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): ROOT PRIVS at keys.c:2001
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): RELINQUISH PRIVS at keys.c:2008
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): mod_sql/4.3: defaulting to 'postgres' backend
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): mod_ident/1.0: ident lookup disabled
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): ROOT PRIVS at mod_delay.c:1756
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): RELINQUISH PRIVS at mod_delay.c:1759
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): ROOT PRIVS at mod_auth.c:140
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): opening scoreboard
    '/media/libraryfiles/proftpd/var/proftpd.scoreboard'
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): RELINQUISH PRIVS at mod_auth.c:142
    2017-03-22 00:51:14,786 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): AuthOrder in effect, resetting auth
    module order
    2017-03-22 00:51:14,787 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): connected - local  : 127.0.0.1:2222
    <http://127.0.0.1:2222>
    2017-03-22 00:51:14,787 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): connected - remote : 127.0.0.1:58014
    <http://127.0.0.1:58014>
    2017-03-22 00:51:14,787 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): SSH2 session opened.
    2017-03-22 00:51:14,787 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): dispatching LOG_CMD command 'KEXINIT' to
    mod_sql
    2017-03-22 00:51:14,787 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): dispatching LOG_CMD command 'KEXINIT' to
    mod_log
    2017-03-22 00:51:14,787 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): dispatching LOG_CMD command 'ECDH_INIT'
    to mod_sql
    2017-03-22 00:51:14,787 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): dispatching LOG_CMD command 'ECDH_INIT'
    to mod_log
    2017-03-22 00:51:14,789 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): ProFTPD terminating (signal 11)
    2017-03-22 00:51:14,789 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): ProFTPD terminating (signal 11)
    2017-03-22 00:51:14,789 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): mod_sftp/0.9.9: scrubbing 2 passphrases
    from memory
    2017-03-22 00:51:14,789 cal-hsl-65 proftpd[56922] cal-hsl-65
    (localhost[127.0.0.1]): SSH2 session closed.

    Seems that it is connected in the middle...

    And the /var/log/proftpd/sftp.log shows things like(many
    identical snippets, I just picked one randomly):

    2017-03-22 01:16:06,753 mod_sftp/0.9.9[58288]: sent server
    version 'SSH-2.0-mod_sftp/0.9.9'
    2017-03-22 01:16:06,753 mod_sftp/0.9.9[58288]: received client
    version 'SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1'
    2017-03-22 01:16:06,753 mod_sftp/0.9.9[58288]: handling
    connection from SSH2 client 'OpenSSH_7.2p2 Ubuntu-4ubuntu2.1'
    2017-03-22 01:16:06,753 mod_sftp/0.9.9[58288]:  + Session key
    exchange: ecdh-sha2-nistp256
    2017-03-22 01:16:06,753 mod_sftp/0.9.9[58288]:  + Session server
    hostkey: ssh-rsa
    2017-03-22 01:16:06,753 mod_sftp/0.9.9[58288]:  + Session
    client-to-server encryption: aes128-ctr
    2017-03-22 01:16:06,753 mod_sftp/0.9.9[58288]:  + Session
    server-to-client encryption: aes128-ctr
    2017-03-22 01:16:06,753 mod_sftp/0.9.9[58288]:  + Session
    client-to-server MAC: [email protected]
    <mailto:[email protected]>
    2017-03-22 01:16:06,753 mod_sftp/0.9.9[58288]:  + Session
    server-to-client MAC: [email protected]
    <mailto:[email protected]>
    2017-03-22 01:16:06,753 mod_sftp/0.9.9[58288]:  + Session
    client-to-server compression: none
    2017-03-22 01:16:06,753 mod_sftp/0.9.9[58288]:  + Session
    server-to-client compression: none

    The version of proftpd is 1.3.5d on ubuntu 16.04.2. Not sure if
    anyone has seen this before. Any input will be greatly appreciated.

    Thanks,
    Rui


    ___________________________________________________________
    Please keep all replies on the list by using "reply all"
    in your mail client.  To manage your subscriptions to this
    and other Galaxy lists, please use the interface at:
       https://lists.galaxyproject.org/ <https://lists.galaxyproject.org/>

    To search Galaxy mailing lists use the unified search at:
       http://galaxyproject.org/search/ <http://galaxyproject.org/search/>

    ___________________________________________________________ Please
    keep all replies on the list by using "reply all" in your mail
    client.  To manage your subscriptions to this and other Galaxy
    lists, please use the interface at:
    https://lists.galaxyproject.org/
    <https://lists.galaxyproject.org/> To search Galaxy mailing lists
    use the unified search at: http://galaxyproject.org/search/

<http://galaxyproject.org/search/>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/

Re: [galaxy-dev] proftpd sftp setup doesn't work

Reply via email to