Hi Mr. Tobias,
We are having a similar problem. It seems that when the galaxy code was updates, new created/updated passwords are using a different encryption mode. This new mode, PBKDF2 SHA256 is NOT supported by proftpd 1.3.4d that you see to be using. We had to compile proftpd from source since version 1.3.5rc3 does support this encryption. Now in the password PBKDF2$sha256$10000$8h/4HmD1Eu6NTc7F$Slb1H5a9YJvR6A3cUnZCUfh7tOWKfRuh I was able to deduce the following by reading the code from git hub "password.py". The encrypted password is acually Slb1H5a9YJvR6A3cUnZCUfh7tOWKfRuh where the salt is 8h/4HmD1Eu6NTc7F using PBKDF2 SHA256 with an illiteration value of 10000. The most importnat part is that the salt, is right there, from character 21 to 36. With the newly compiled proftpd, I have the following configuration at proftpd.conf:
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "Genomics01 ProFTPd"
ServerType standalone
DefaultServer on
DeferWelcome off
UseIPv6 on
IdentLookups off
MultilineRFC2228 on
ShowSymlinks on
ModulePath /usr/local/galaxy/downloads/proftpd-1.3.5rc3/modules/
LoadModule mod_sql.c
LoadModule mod_sql_postgres.c
LoadModule mod_sql_passwd.c
<IfModule mod_sql.c>
SQLBackend postgres
SQLEngine on
SQLAuthenticate users
SQLAuthTypes SHA1 SHA256 pbkdf2
SQLPasswordPBKDF2 SHA256 1000 24
#SQLPasswordSaltFile /path/to/file
SQLConnectInfo galaxydb@localhost:5432 ftpuser mypassword
SQLUserInfo custom:/LookupGalaxyUser
SQLNamedQuery LookupGalaxyUser SELECT "email,password,'galaxy','galaxy','/usr/local/galaxy/galaxy-dist/database/ftp/%U','/bin/bash' FROM galaxy_user WHERE email='%U'"
SQLPasswordUserSalt sql:/GetUserSalt
SQLNamedQuery LookupGalaxyUser SELECT "email, (CASE WHEN substring(password from 1 for 6) = 'PBDKF2' THEN substring(password from 38 for 69) ELSE password END) AS password2,'galaxy','galaxy','/usr/local/galaxy/galaxy-dist/database/ftp/%U','/bin/bash' FROM galaxy_user WHERE email='%U'"
SQLNamedQuery GetUserSalt SELECT "(CASE WHEN SUBSTRING (password from 1 for 6) = 'PBDKF2' THEN SUBSTRING (password from 21 for 36) END) AS salt FROM galaxy_user WHERE email='%U'"
</IfModule>
SQLDefaultGID 1002
SQLDefaultUID 1002
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"
DenyFilter \*.*/
# Use this to jail all users in their homes
DefaultRoot ~
CreateHome on dirmode 700
AllowOverwrite on
AllowStoreRestart on
SQLPasswordEngine on
SQLPasswordEncoding hex
PassivePorts 30000 40000
# Port 21 is the standard FTP port.
Port 21
# Don't use IPv6 support by default.
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 077
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User galaxy
Group galaxy
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
# Normally, we want files to be overwriteable.
AllowOverwrite on
#AuthOrder mod_sql.c
# Bar use of SITE CHMOD by default
#<Limit SITE_CHMOD>
# DenyAll
#</Limit>
Include /etc/proftpd/conf.d/
With the configuration above, I can still connect to users that have SHA1 passwords, but I think I need a little more tweeking to get it to work with the new passwords.
Best,
--Ricardo Perez