On Aug 9, 2013, at 2:38 AM, Leon Mei wrote: > Hi Nate, > > Thanks for the suggestion! Unfortunately, it still failed :( > > I got the following error message in proftp log: > > 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: entering postgres > cmd_escapestring > 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: entering postgres cmd_open > 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count is now > 2 > 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_open > 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: entering postgres cmd_close > 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count is now > 1 > 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_close > 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres > cmd_escapestring > 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: cache hit for user > 'hailiang.m...@nbic.nl' > 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: >>> cmd_check > 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: checking password using > SQLAuthType 'sha1' > 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha1' SQLAuthType handler > reports failure > 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using > SQLAuthType 'sha256' > 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha256' SQLAuthType handler > reports failure > 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using > SQLAuthType 'pbkdf2' > 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: 'pbkdf2' SQLAuthType handler > reports failure > 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_check > 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_auth > > The old user account generated before our code update still works. > > I wonder how it is configured at the Galaxy main server? > > Thanks, > Leon
It isn't in use on the Main server, but now that I'm aware that ProFTPD has PBKDF2 support, I will put this on my to-do list for next week to test. --nate > > > > On Thu, Aug 8, 2013 at 8:45 PM, Nate Coraor <n...@bx.psu.edu> wrote: > On Jul 26, 2013, at 3:51 PM, Leon Mei wrote: > > > Dear galaxy developers, > > > > We have tried today to upgrade our proftpd configuration to make uploading > > for our galaxy users possible again, both for users with "old" as well as > > "new" style hashed passwords. We upgraded proftpd on the server to 1.3.5rc3 > > and have the following SQL part in our configuration file based on the post > > of > > http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295.html > > > > SQLEngine on > > SQLLogFile /var/log/proftpd-sql.log > > SQLBackend postgres > > SQLConnectInfo galaxy@localhost:5840 galaxyftp <[ourpassword]> > > SQLAuthTypes SHA1 SHA256 PBKDF2 > > SQLPasswordPBKDF2 SHA256 1000 24 > > SQLPasswordUserSalt sql:/GetUserSalt > > SQLAuthenticate users > > SQLDefaultUID 108 > > SQLDefaultGID 116 > > SQLDefaultHomedir /opt/cloudman/pkg/proftpd/var > > SQLUserInfo custom:/LookupGalaxyUser > > SQLNamedQuery LookupGalaxyUser SELECT "email, (CASE WHEN > > substring(password from 1 for 6) = 'PBKDF2' THEN substring(password from 38 > > for 32) ELSE password END) AS > > password2,'108','116','/mnt/galaxyData/tmp/ftp/%U','/bin/bash' FROM > > galaxy_user WHERE email='%U'" > > SQLNamedQuery GetUserSalt SELECT "(CASE WHEN SUBSTRING (password from 1 > > for 6) = 'PBKDF2' THEN SUBSTRING (password from 21 for 16) END) AS salt > > FROM galaxy_user WHERE email='%U'" > > > > We have executed the LookupGalaxyUser and GetUserSalt commands manually, > > and the results look good. Now, old users can login via ftp, but for a new > > user, the authentication still fails: > > > > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: >>> cmd_check > > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using > > SQLAuthType 'sha1' > > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: 'sha1' SQLAuthType handler > > reports failure > > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using > > SQLAuthType 'pbkdf2' > > 2013-07-26 13:15:06,993 mod_sql/4.3[31761]: 'pbkdf2' SQLAuthType handler > > reports failure > > > > What are we missing? > > > > Thanks! > > > > Rob and Leon > > Hallo Leon and Rob, > > Thanks for working on this, when I'd looked a couple months ago I could not > find an entirely-ProFTPD way to do this. I think it may have actually come > about because I asked about it on their IRC channel. ;) > > This may work if you change SQLPasswordPBKDF2: > > SQLPasswordPBKDF2 SHA256 10000 24 > > It'd be great if ProFTPD also supported pulling those values dynamically from > the database, but Galaxy's PBKDF2 code currently has them hardcoded, so they > will be static anyway. > > --nate > > > > > > > -- > > Hailiang (Leon) Mei > > Netherlands Bioinformatics Center > > BioAssist NGS Taskforce > > - http://ngs.nbic.nl > > Skype: leon_mei Mobile: +31 6 41709231 > > ___________________________________________________________ > > Please keep all replies on the list by using "reply all" > > in your mail client. To manage your subscriptions to this > > and other Galaxy lists, please use the interface at: > > http://lists.bx.psu.edu/ > > > > To search Galaxy mailing lists use the unified search at: > > http://galaxyproject.org/search/mailinglists/ > > > > > -- > Hailiang (Leon) Mei > Netherlands Bioinformatics Center > BioAssist NGS Taskforce > - http://ngs.nbic.nl > Skype: leon_mei Mobile: +31 6 41709231 ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
