Hi Mr. Tobias, We are having a similar problem. It seems that when the galaxy code was updates, new created/updated passwords are using a different encryption mode. This new mode, PBKDF2 SHA256 is NOT supported by proftpd 1.3.4d that you see to be using. We had to compile proftpd from source since version 1.3.5rc3 does support this encryption. Now in the password PBKDF2$sha256$10000$8h/4HmD1Eu6NTc7F$Slb1H5a9YJvR6A3cUnZCUfh7tOWKfRuh I was able to deduce the following by reading the code from git hub "password.py". The encrypted password is acually Slb1H5a9YJvR6A3cUnZCUfh7tOWKfRuh where the salt is 8h/4HmD1Eu6NTc7F using PBKDF2 SHA256 with an illiteration value of 10000. The most importnat part is that the salt, is right there, from character 21 to 36. With the newly compiled proftpd, I have the following configuration at proftpd.conf: # This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. ServerName "Genomics01 ProFTPd" ServerType standalone DefaultServer on DeferWelcome off UseIPv6 on IdentLookups off MultilineRFC2228 on ShowSymlinks on ModulePath /usr/local/galaxy/downloads/proftpd-1.3.5rc3/modules/ LoadModule mod_sql.c LoadModule mod_sql_postgres.c LoadModule mod_sql_passwd.c <IfModule mod_sql.c> SQLBackend postgres SQLEngine on SQLAuthenticate users SQLAuthTypes SHA1 SHA256 pbkdf2 SQLPasswordPBKDF2 SHA256 1000 24 #SQLPasswordSaltFile /path/to/file SQLConnectInfo galaxydb@localhost:5432 ftpuser mypassword SQLUserInfo custom:/LookupGalaxyUser SQLNamedQuery LookupGalaxyUser SELECT "email,password,'galaxy','galaxy','/usr/local/galaxy/galaxy-dist/database/ftp/%U','/bin/bash' FROM galaxy_user WHERE email='%U'" SQLPasswordUserSalt sql:/GetUserSalt SQLNamedQuery LookupGalaxyUser SELECT "email, (CASE WHEN substring(password from 1 for 6) = 'PBDKF2' THEN substring(password from 38 for 69) ELSE password END) AS password2,'galaxy','galaxy','/usr/local/galaxy/galaxy-dist/database/ftp/%U','/bin/bash' FROM galaxy_user WHERE email='%U'" SQLNamedQuery GetUserSalt SELECT "(CASE WHEN SUBSTRING (password from 1 for 6) = 'PBDKF2' THEN SUBSTRING (password from 21 for 36) END) AS salt FROM galaxy_user WHERE email='%U'" </IfModule> SQLDefaultGID 1002 SQLDefaultUID 1002 TimeoutNoTransfer 600 TimeoutStalled 600 TimeoutIdle 1200 DisplayLogin welcome.msg DisplayChdir .message true ListOptions "-l" DenyFilter \*.*/ # Use this to jail all users in their homes DefaultRoot ~ CreateHome on dirmode 700 AllowOverwrite on AllowStoreRestart on SQLPasswordEngine on SQLPasswordEncoding hex PassivePorts 30000 40000 # Port 21 is the standard FTP port. Port 21 # Don't use IPv6 support by default. # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 077 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd). MaxInstances 30 # Set the user and group under which the server will run. User galaxy Group galaxy # To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. #DefaultRoot ~ # Normally, we want files to be overwriteable. AllowOverwrite on #AuthOrder mod_sql.c # Bar use of SITE CHMOD by default #<Limit SITE_CHMOD> # DenyAll #</Limit> Include /etc/proftpd/conf.d/ With the configuration above, I can still connect to users that have SHA1 passwords, but I think I need a little more tweeking to get it to work with the new passwords. Best, --Ricardo Perez