subject:"\[galaxy\-dev\] support pbkdf2 in proftpd 1.3.5rc3"

Re: [galaxy-dev] support pbkdf2 in proftpd 1.3.5rc3

2013-08-09 Thread Benjamin Schuster-Boeckler

I previously tried to get this to work, too. After a lot of trial-and-error, I 
gave up because proFTPd always calculated a different string after salting and 
hashing the password with PBKDF2 than what is stored in the database. I'm sure 
that it extracted the correct salt and password, but something about the 
salt&hash algorithm in proFTPd is different from what Galaxy does. I ended up 
reverting to SHA1 for our internal instance which is behind a firewall so pw 
hashing isn't as critical.

Just my 5c, cheers,
Ben

--
Benjamin Schuster-Böckler
Leadership Fellow for Bioinformatics

☎ +44 1865 617481
✉ benjamin.schuster-boeck...@ludwig.ox.ac.uk

Ludwig Institute for Cancer Research
University of Oxford
Old Road Campus Research Building
Oxford OX3 7DQ
United Kingdom


___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Re: [galaxy-dev] support pbkdf2 in proftpd 1.3.5rc3

2013-08-09 Thread Leon Mei

Hi Nate/James,

Thanks! Where should I look into to disable PBKDF2 in the Galaxy code?

Cheers,
Leon



On Fri, Aug 9, 2013 at 4:28 PM, James Taylor  wrote:

> For the moment, the best solution is to disable PBKDF2 in Galaxy if
> you are also using FTP. That is how Galaxy main is currently
> configured.
>
> --
> James Taylor, Assistant Professor, Biology/CS, Emory University
>
>
> On Fri, Aug 9, 2013 at 10:01 AM, Nate Coraor  wrote:
> > On Aug 9, 2013, at 2:38 AM, Leon Mei wrote:
> >
> >> Hi Nate,
> >>
> >> Thanks for the suggestion! Unfortunately, it still failed :(
> >>
> >> I got the following error message in proftp log:
> >>
> >> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: enteringpostgres
> cmd_escapestring
> >> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: enteringpostgres
> cmd_open
> >> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count
> is now 2
> >> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres
> cmd_open
> >> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: enteringpostgres
> cmd_close
> >> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count
> is now 1
> >> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres
> cmd_close
> >> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres
> cmd_escapestring
> >> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: cache hit for user '
> hailiang.m...@nbic.nl'
> >> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: >>> cmd_check
> >> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: checking password using
> SQLAuthType 'sha1'
> >> 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha1' SQLAuthType handler
> reports failure
> >> 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using
> SQLAuthType 'sha256'
> >> 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha256' SQLAuthType
> handler reports failure
> >> 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using
> SQLAuthType 'pbkdf2'
> >> 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: 'pbkdf2' SQLAuthType
> handler reports failure
> >> 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_check
> >> 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_auth
> >>
> >> The old user account generated before our code update still works.
> >>
> >> I wonder how it is configured at the Galaxy main server?
> >>
> >> Thanks,
> >> Leon
> >
> > It isn't in use on the Main server, but now that I'm aware that ProFTPD
> has PBKDF2 support, I will put this on my to-do list for next week to test.
> >
> > --nate
> >
> >
> >>
> >>
> >>
> >> On Thu, Aug 8, 2013 at 8:45 PM, Nate Coraor  wrote:
> >> On Jul 26, 2013, at 3:51 PM, Leon Mei wrote:
> >>
> >> > Dear galaxy developers,
> >> >
> >> > We have tried today to upgrade our proftpd configuration to make
> uploading for our galaxy users possible again, both for users with "old" as
> well as "new" style hashed passwords. We upgraded proftpd on the server to
> 1.3.5rc3 and have the following SQL part in our configuration file based on
> the post of
> http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295.html
> >> >
> >> > SQLEngine   on
> >> > SQLLogFile  /var/log/proftpd-sql.log
> >> > SQLBackend  postgres
> >> > SQLConnectInfo  galaxy@localhost:5840 galaxyftp
> <[ourpassword]>
> >> > SQLAuthTypesSHA1 SHA256 PBKDF2
> >> > SQLPasswordPBKDF2 SHA256 1000 24
> >> > SQLPasswordUserSalt   sql:/GetUserSalt
> >> > SQLAuthenticate users
> >> > SQLDefaultUID   108
> >> > SQLDefaultGID   116
> >> > SQLDefaultHomedir   /opt/cloudman/pkg/proftpd/var
> >> > SQLUserInfo custom:/LookupGalaxyUser
> >> > SQLNamedQuery  LookupGalaxyUser  SELECT "email, (CASE WHEN
> substring(password from 1 for 6) = 'PBKDF2' THEN substring(password from 38
> for 32) ELSE password END) AS
> password2,'108','116','/mnt/galaxyData/tmp/ftp/%U','/bin/bash' FROM
> galaxy_user WHERE email='%U'"
> >> > SQLNamedQuery  GetUserSalt SELECT "(CASE WHEN SUBSTRING (password
> from 1 for 6) = 'PBKDF2' THEN SUBSTRING (password from 21 for 16) END) AS
> salt FROM galaxy_user WHERE email='%U'"
> >> >
> >> > We have executed the LookupGalaxyUser and GetUserSalt commands
> manually, and the results look good. Now, old users can login via ftp, but
> for a new user, the authentication still fails:
> >> >
> >> > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: >>> cmd_check
> >> > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using
> SQLAuthType 'sha1'
> >> > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: 'sha1' SQLAuthType
> handler reports failure
> >> > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using
> SQLAuthType 'pbkdf2'
> >> > 2013-07-26 13:15:06,993 mod_sql/4.3[31761]: 'pbkdf2' SQLAuthType
> handler reports failure
> >> >
> >> > What are we missing?
> >> >
> >> > Thanks!
> >> >
> >> > Rob and Leon
> >>
> >> Hallo Leon and Rob,
> >>
> >> Thanks for working on this, when I'd looked a couple months a

Re: [galaxy-dev] support pbkdf2 in proftpd 1.3.5rc3

2013-08-09 Thread James Taylor

For the moment, the best solution is to disable PBKDF2 in Galaxy if
you are also using FTP. That is how Galaxy main is currently
configured.

--
James Taylor, Assistant Professor, Biology/CS, Emory University


On Fri, Aug 9, 2013 at 10:01 AM, Nate Coraor  wrote:
> On Aug 9, 2013, at 2:38 AM, Leon Mei wrote:
>
>> Hi Nate,
>>
>> Thanks for the suggestion! Unfortunately, it still failed :(
>>
>> I got the following error message in proftp log:
>>
>> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: enteringpostgres 
>> cmd_escapestring
>> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: enteringpostgres cmd_open
>> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count is 
>> now 2
>> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_open
>> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: enteringpostgres cmd_close
>> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count is 
>> now 1
>> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_close
>> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres 
>> cmd_escapestring
>> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: cache hit for user 
>> 'hailiang.m...@nbic.nl'
>> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: >>> cmd_check
>> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: checking password using 
>> SQLAuthType 'sha1'
>> 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha1' SQLAuthType handler 
>> reports failure
>> 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using 
>> SQLAuthType 'sha256'
>> 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha256' SQLAuthType handler 
>> reports failure
>> 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using 
>> SQLAuthType 'pbkdf2'
>> 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: 'pbkdf2' SQLAuthType handler 
>> reports failure
>> 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_check
>> 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_auth
>>
>> The old user account generated before our code update still works.
>>
>> I wonder how it is configured at the Galaxy main server?
>>
>> Thanks,
>> Leon
>
> It isn't in use on the Main server, but now that I'm aware that ProFTPD has 
> PBKDF2 support, I will put this on my to-do list for next week to test.
>
> --nate
>
>
>>
>>
>>
>> On Thu, Aug 8, 2013 at 8:45 PM, Nate Coraor  wrote:
>> On Jul 26, 2013, at 3:51 PM, Leon Mei wrote:
>>
>> > Dear galaxy developers,
>> >
>> > We have tried today to upgrade our proftpd configuration to make uploading 
>> > for our galaxy users possible again, both for users with "old" as well as 
>> > "new" style hashed passwords. We upgraded proftpd on the server to 
>> > 1.3.5rc3 and have the following SQL part in our configuration file based 
>> > on the post of 
>> > http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295.html
>> >
>> > SQLEngine   on
>> > SQLLogFile  /var/log/proftpd-sql.log
>> > SQLBackend  postgres
>> > SQLConnectInfo  galaxy@localhost:5840 galaxyftp <[ourpassword]>
>> > SQLAuthTypesSHA1 SHA256 PBKDF2
>> > SQLPasswordPBKDF2 SHA256 1000 24
>> > SQLPasswordUserSalt   sql:/GetUserSalt
>> > SQLAuthenticate users
>> > SQLDefaultUID   108
>> > SQLDefaultGID   116
>> > SQLDefaultHomedir   /opt/cloudman/pkg/proftpd/var
>> > SQLUserInfo custom:/LookupGalaxyUser
>> > SQLNamedQuery  LookupGalaxyUser  SELECT "email, (CASE WHEN 
>> > substring(password from 1 for 6) = 'PBKDF2' THEN substring(password from 
>> > 38 for 32) ELSE password END) AS 
>> > password2,'108','116','/mnt/galaxyData/tmp/ftp/%U','/bin/bash' FROM 
>> > galaxy_user WHERE email='%U'"
>> > SQLNamedQuery  GetUserSalt SELECT "(CASE WHEN SUBSTRING (password from 1 
>> > for 6) = 'PBKDF2' THEN SUBSTRING (password from 21 for 16) END) AS salt 
>> > FROM galaxy_user WHERE email='%U'"
>> >
>> > We have executed the LookupGalaxyUser and GetUserSalt commands manually, 
>> > and the results look good. Now, old users can login via ftp, but for a new 
>> > user, the authentication still fails:
>> >
>> > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: >>> cmd_check
>> > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using 
>> > SQLAuthType 'sha1'
>> > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: 'sha1' SQLAuthType handler 
>> > reports failure
>> > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using 
>> > SQLAuthType 'pbkdf2'
>> > 2013-07-26 13:15:06,993 mod_sql/4.3[31761]: 'pbkdf2' SQLAuthType handler 
>> > reports failure
>> >
>> > What are we missing?
>> >
>> > Thanks!
>> >
>> > Rob and Leon
>>
>> Hallo Leon and Rob,
>>
>> Thanks for working on this, when I'd looked a couple months ago I could not 
>> find an entirely-ProFTPD way to do this.  I think it may have actually come 
>> about because I asked about it on their IRC channel. ;)
>>
>> This may work if you change SQLPasswordPBKDF2:
>>
>>   SQLPasswordPBKDF2 SHA256 1 24
>>
>>

Re: [galaxy-dev] support pbkdf2 in proftpd 1.3.5rc3

2013-08-09 Thread Nate Coraor

On Aug 9, 2013, at 2:38 AM, Leon Mei wrote:

> Hi Nate,
> 
> Thanks for the suggestion! Unfortunately, it still failed :(
> 
> I got the following error message in proftp log:
> 
> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: enteringpostgres 
> cmd_escapestring
> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: enteringpostgres cmd_open
> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count is now 
> 2
> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_open
> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: enteringpostgres cmd_close
> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count is now 
> 1
> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_close
> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres 
> cmd_escapestring
> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: cache hit for user 
> 'hailiang.m...@nbic.nl'
> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: >>> cmd_check
> 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: checking password using 
> SQLAuthType 'sha1'
> 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha1' SQLAuthType handler 
> reports failure
> 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using 
> SQLAuthType 'sha256'
> 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha256' SQLAuthType handler 
> reports failure
> 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using 
> SQLAuthType 'pbkdf2'
> 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: 'pbkdf2' SQLAuthType handler 
> reports failure
> 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_check
> 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_auth
> 
> The old user account generated before our code update still works.
> 
> I wonder how it is configured at the Galaxy main server? 
> 
> Thanks,
> Leon

It isn't in use on the Main server, but now that I'm aware that ProFTPD has 
PBKDF2 support, I will put this on my to-do list for next week to test.

--nate


> 
> 
> 
> On Thu, Aug 8, 2013 at 8:45 PM, Nate Coraor  wrote:
> On Jul 26, 2013, at 3:51 PM, Leon Mei wrote:
> 
> > Dear galaxy developers,
> >
> > We have tried today to upgrade our proftpd configuration to make uploading 
> > for our galaxy users possible again, both for users with "old" as well as 
> > "new" style hashed passwords. We upgraded proftpd on the server to 1.3.5rc3 
> > and have the following SQL part in our configuration file based on the post 
> > of 
> > http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295.html
> >
> > SQLEngine   on
> > SQLLogFile  /var/log/proftpd-sql.log
> > SQLBackend  postgres
> > SQLConnectInfo  galaxy@localhost:5840 galaxyftp <[ourpassword]>
> > SQLAuthTypesSHA1 SHA256 PBKDF2
> > SQLPasswordPBKDF2 SHA256 1000 24
> > SQLPasswordUserSalt   sql:/GetUserSalt
> > SQLAuthenticate users
> > SQLDefaultUID   108
> > SQLDefaultGID   116
> > SQLDefaultHomedir   /opt/cloudman/pkg/proftpd/var
> > SQLUserInfo custom:/LookupGalaxyUser
> > SQLNamedQuery  LookupGalaxyUser  SELECT "email, (CASE WHEN 
> > substring(password from 1 for 6) = 'PBKDF2' THEN substring(password from 38 
> > for 32) ELSE password END) AS 
> > password2,'108','116','/mnt/galaxyData/tmp/ftp/%U','/bin/bash' FROM 
> > galaxy_user WHERE email='%U'"
> > SQLNamedQuery  GetUserSalt SELECT "(CASE WHEN SUBSTRING (password from 1 
> > for 6) = 'PBKDF2' THEN SUBSTRING (password from 21 for 16) END) AS salt 
> > FROM galaxy_user WHERE email='%U'"
> >
> > We have executed the LookupGalaxyUser and GetUserSalt commands manually, 
> > and the results look good. Now, old users can login via ftp, but for a new 
> > user, the authentication still fails:
> >
> > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: >>> cmd_check
> > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using 
> > SQLAuthType 'sha1'
> > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: 'sha1' SQLAuthType handler 
> > reports failure
> > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using 
> > SQLAuthType 'pbkdf2'
> > 2013-07-26 13:15:06,993 mod_sql/4.3[31761]: 'pbkdf2' SQLAuthType handler 
> > reports failure
> >
> > What are we missing?
> >
> > Thanks!
> >
> > Rob and Leon
> 
> Hallo Leon and Rob,
> 
> Thanks for working on this, when I'd looked a couple months ago I could not 
> find an entirely-ProFTPD way to do this.  I think it may have actually come 
> about because I asked about it on their IRC channel. ;)
> 
> This may work if you change SQLPasswordPBKDF2:
> 
>   SQLPasswordPBKDF2 SHA256 1 24
> 
> It'd be great if ProFTPD also supported pulling those values dynamically from 
> the database, but Galaxy's PBKDF2 code currently has them hardcoded, so they 
> will be static anyway.
> 
> --nate
> 
> >
> >
> > --
> > Hailiang (Leon) Mei
> > Netherlands Bioinformatics Center
> > BioAssist NGS Taskforce
> >  - http://ngs.nbic.nl
> > Skype: leon_meiMobile: +31 6 41

Re: [galaxy-dev] support pbkdf2 in proftpd 1.3.5rc3

2013-08-08 Thread Leon Mei

Hi Nate,

Thanks for the suggestion! Unfortunately, it still failed :(

I got the following error message in proftp log:

2013-08-09 08:32:41,777 mod_sql/4.3[32384]: enteringpostgres
cmd_escapestring
2013-08-09 08:32:41,777 mod_sql/4.3[32384]: enteringpostgres cmd_open
2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count is
now 2
2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_open
2013-08-09 08:32:41,777 mod_sql/4.3[32384]: enteringpostgres cmd_close
2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count is
now 1
2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_close
2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres
cmd_escapestring
2013-08-09 08:32:41,777 mod_sql/4.3[32384]: cache hit for user '
hailiang.m...@nbic.nl'
2013-08-09 08:32:41,777 mod_sql/4.3[32384]: >>> cmd_check
2013-08-09 08:32:41,777 mod_sql/4.3[32384]: checking password using
SQLAuthType 'sha1'
2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha1' SQLAuthType handler
reports failure
2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using
SQLAuthType 'sha256'
2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha256' SQLAuthType handler
reports failure
2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using
SQLAuthType 'pbkdf2'
2013-08-09 08:32:41,841 mod_sql/4.3[32384]: 'pbkdf2' SQLAuthType handler
reports failure
2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_check
2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_auth

The old user account generated before our code update still works.

I wonder how it is configured at the Galaxy main server?

Thanks,
Leon



On Thu, Aug 8, 2013 at 8:45 PM, Nate Coraor  wrote:

> On Jul 26, 2013, at 3:51 PM, Leon Mei wrote:
>
> > Dear galaxy developers,
> >
> > We have tried today to upgrade our proftpd configuration to make
> uploading for our galaxy users possible again, both for users with "old" as
> well as "new" style hashed passwords. We upgraded proftpd on the server to
> 1.3.5rc3 and have the following SQL part in our configuration file based on
> the post of
> http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295.html
> >
> > SQLEngine   on
> > SQLLogFile  /var/log/proftpd-sql.log
> > SQLBackend  postgres
> > SQLConnectInfo  galaxy@localhost:5840 galaxyftp <[ourpassword]>
> > SQLAuthTypesSHA1 SHA256 PBKDF2
> > SQLPasswordPBKDF2 SHA256 1000 24
> > SQLPasswordUserSalt   sql:/GetUserSalt
> > SQLAuthenticate users
> > SQLDefaultUID   108
> > SQLDefaultGID   116
> > SQLDefaultHomedir   /opt/cloudman/pkg/proftpd/var
> > SQLUserInfo custom:/LookupGalaxyUser
> > SQLNamedQuery  LookupGalaxyUser  SELECT "email, (CASE WHEN
> substring(password from 1 for 6) = 'PBKDF2' THEN substring(password from 38
> for 32) ELSE password END) AS
> password2,'108','116','/mnt/galaxyData/tmp/ftp/%U','/bin/bash' FROM
> galaxy_user WHERE email='%U'"
> > SQLNamedQuery  GetUserSalt SELECT "(CASE WHEN SUBSTRING (password from 1
> for 6) = 'PBKDF2' THEN SUBSTRING (password from 21 for 16) END) AS salt
> FROM galaxy_user WHERE email='%U'"
> >
> > We have executed the LookupGalaxyUser and GetUserSalt commands manually,
> and the results look good. Now, old users can login via ftp, but for a new
> user, the authentication still fails:
> >
> > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: >>> cmd_check
> > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using
> SQLAuthType 'sha1'
> > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: 'sha1' SQLAuthType handler
> reports failure
> > 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using
> SQLAuthType 'pbkdf2'
> > 2013-07-26 13:15:06,993 mod_sql/4.3[31761]: 'pbkdf2' SQLAuthType handler
> reports failure
> >
> > What are we missing?
> >
> > Thanks!
> >
> > Rob and Leon
>
> Hallo Leon and Rob,
>
> Thanks for working on this, when I'd looked a couple months ago I could
> not find an entirely-ProFTPD way to do this.  I think it may have actually
> come about because I asked about it on their IRC channel. ;)
>
> This may work if you change SQLPasswordPBKDF2:
>
>   SQLPasswordPBKDF2 SHA256 1 24
>
> It'd be great if ProFTPD also supported pulling those values dynamically
> from the database, but Galaxy's PBKDF2 code currently has them hardcoded,
> so they will be static anyway.
>
> --nate
>
> >
> >
> > --
> > Hailiang (Leon) Mei
> > Netherlands Bioinformatics Center
> > BioAssist NGS Taskforce
> >  - http://ngs.nbic.nl
> > Skype: leon_meiMobile: +31 6 41709231
> > ___
> > Please keep all replies on the list by using "reply all"
> > in your mail client.  To manage your subscriptions to this
> > and other Galaxy lists, please use the interface at:
> >  http://lists.bx.psu.edu/
> >
> > To search Galaxy mailing lists use the unified search at:
> >  http://galaxyproj

Re: [galaxy-dev] support pbkdf2 in proftpd 1.3.5rc3

2013-08-08 Thread Nate Coraor

On Jul 26, 2013, at 3:51 PM, Leon Mei wrote:

> Dear galaxy developers,
> 
> We have tried today to upgrade our proftpd configuration to make uploading 
> for our galaxy users possible again, both for users with "old" as well as 
> "new" style hashed passwords. We upgraded proftpd on the server to 1.3.5rc3 
> and have the following SQL part in our configuration file based on the post 
> of 
> http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295.html
> 
> SQLEngine   on
> SQLLogFile  /var/log/proftpd-sql.log
> SQLBackend  postgres
> SQLConnectInfo  galaxy@localhost:5840 galaxyftp <[ourpassword]>
> SQLAuthTypesSHA1 SHA256 PBKDF2
> SQLPasswordPBKDF2 SHA256 1000 24 
> SQLPasswordUserSalt   sql:/GetUserSalt 
> SQLAuthenticate users
> SQLDefaultUID   108
> SQLDefaultGID   116
> SQLDefaultHomedir   /opt/cloudman/pkg/proftpd/var
> SQLUserInfo custom:/LookupGalaxyUser
> SQLNamedQuery  LookupGalaxyUser  SELECT "email, (CASE WHEN substring(password 
> from 1 for 6) = 'PBKDF2' THEN substring(password from 38 for 32) ELSE 
> password END) AS 
> password2,'108','116','/mnt/galaxyData/tmp/ftp/%U','/bin/bash' FROM 
> galaxy_user WHERE email='%U'"
> SQLNamedQuery  GetUserSalt SELECT "(CASE WHEN SUBSTRING (password from 1 for 
> 6) = 'PBKDF2' THEN SUBSTRING (password from 21 for 16) END) AS salt FROM 
> galaxy_user WHERE email='%U'" 
> 
> We have executed the LookupGalaxyUser and GetUserSalt commands manually, and 
> the results look good. Now, old users can login via ftp, but for a new user, 
> the authentication still fails:
> 
> 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: >>> cmd_check
> 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using 
> SQLAuthType 'sha1'
> 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: 'sha1' SQLAuthType handler 
> reports failure
> 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using 
> SQLAuthType 'pbkdf2'
> 2013-07-26 13:15:06,993 mod_sql/4.3[31761]: 'pbkdf2' SQLAuthType handler 
> reports failure
> 
> What are we missing?
> 
> Thanks!
> 
> Rob and Leon

Hallo Leon and Rob,

Thanks for working on this, when I'd looked a couple months ago I could not 
find an entirely-ProFTPD way to do this.  I think it may have actually come 
about because I asked about it on their IRC channel. ;)

This may work if you change SQLPasswordPBKDF2:

  SQLPasswordPBKDF2 SHA256 1 24

It'd be great if ProFTPD also supported pulling those values dynamically from 
the database, but Galaxy's PBKDF2 code currently has them hardcoded, so they 
will be static anyway.

--nate

> 
> 
> -- 
> Hailiang (Leon) Mei
> Netherlands Bioinformatics Center   
> BioAssist NGS Taskforce 
>  - http://ngs.nbic.nl
> Skype: leon_meiMobile: +31 6 41709231
> ___
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>  http://lists.bx.psu.edu/
> 
> To search Galaxy mailing lists use the unified search at:
>  http://galaxyproject.org/search/mailinglists/


___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

[galaxy-dev] support pbkdf2 in proftpd 1.3.5rc3

2013-07-26 Thread Leon Mei

Dear galaxy developers,

We have tried today to upgrade our proftpd configuration to make uploading
for our galaxy users possible again, both for users with "old" as well as
"new" style hashed passwords. We upgraded proftpd on the server to 1.3.5rc3
and have the following SQL part in our configuration file based on the post
of
http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295.html

SQLEngine   on
SQLLogFile  /var/log/proftpd-sql.log
SQLBackend  postgres
SQLConnectInfo  galaxy@localhost:5840 galaxyftp <[ourpassword]>
SQLAuthTypesSHA1 SHA256 PBKDF2
SQLPasswordPBKDF2SHA256 1000 24
SQLPasswordUserSaltsql:/GetUserSalt
SQLAuthenticate users
SQLDefaultUID   108
SQLDefaultGID   116
SQLDefaultHomedir   /opt/cloudman/pkg/proftpd/var
SQLUserInfo custom:/LookupGalaxyUser
SQLNamedQuery LookupGalaxyUser  SELECT "email, (CASE WHEN
substring(password from 1 for 6) = 'PBKDF2' THEN substring(password from 38
for 32) ELSE password END) AS
password2,'108','116','/mnt/galaxyData/tmp/ftp/%U','/bin/bash' FROM
galaxy_user WHERE email='%U'"
SQLNamedQuery GetUserSalt SELECT "(CASE WHEN SUBSTRING (password from 1 for
6) = 'PBKDF2' THEN SUBSTRING (password from 21 for 16) END) AS salt FROM
galaxy_user WHERE email='%U'"

We have executed the LookupGalaxyUser and GetUserSalt commands manually,
and the results look good. Now, old users can login via ftp, but for a new
user, the authentication still fails:

2013-07-26 13:15:06,989 mod_sql/4.3[31761]: >>> cmd_check
2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using
SQLAuthType 'sha1'
2013-07-26 13:15:06,989 mod_sql/4.3[31761]: 'sha1' SQLAuthType handler
reports failure
2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using
SQLAuthType 'pbkdf2'
2013-07-26 13:15:06,993 mod_sql/4.3[31761]: 'pbkdf2' SQLAuthType handler
reports failure

What are we missing?

Thanks!

Rob and Leon


-- 
Hailiang (Leon) Mei
Netherlands Bioinformatics Center
BioAssist NGS Taskforce
 - http://ngs.nbic.nl
Skype: leon_meiMobile: +31 6 41709231
___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Re: [galaxy-dev] support pbkdf2 in proftpd 1.3.5rc3

Re: [galaxy-dev] support pbkdf2 in proftpd 1.3.5rc3

Re: [galaxy-dev] support pbkdf2 in proftpd 1.3.5rc3

Re: [galaxy-dev] support pbkdf2 in proftpd 1.3.5rc3

Re: [galaxy-dev] support pbkdf2 in proftpd 1.3.5rc3

Re: [galaxy-dev] support pbkdf2 in proftpd 1.3.5rc3

[galaxy-dev] support pbkdf2 in proftpd 1.3.5rc3

7 matches

Site Navigation

Mail list logo

Footer information