support pbkdf2 in proftpd 1.3.5rc3
Dear galaxy developers, We have tried today to upgrade our proftpd configuration to make uploading for our galaxy users possible again, both for users with "old" as well as "new" style hashed passwords. We upgraded proftpd on the server to 1.3.5rc3 and have the following SQL part in our configuration file based on the post of http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295.... SQLEngine on SQLLogFile /var/log/proftpd-sql.log SQLBackend postgres SQLConnectInfo galaxy@localhost:5840 galaxyftp <[ourpassword]> SQLAuthTypes SHA1 SHA256 PBKDF2 SQLPasswordPBKDF2 SHA256 1000 24 SQLPasswordUserSalt sql:/GetUserSalt SQLAuthenticate users SQLDefaultUID 108 SQLDefaultGID 116 SQLDefaultHomedir /opt/cloudman/pkg/proftpd/var SQLUserInfo custom:/LookupGalaxyUser SQLNamedQuery LookupGalaxyUser SELECT "email, (CASE WHEN substring(password from 1 for 6) = 'PBKDF2' THEN substring(password from 38 for 32) ELSE password END) AS password2,'108','116','/mnt/galaxyData/tmp/ftp/%U','/bin/bash' FROM galaxy_user WHERE email='%U'" SQLNamedQuery GetUserSalt SELECT "(CASE WHEN SUBSTRING (password from 1 for 6) = 'PBKDF2' THEN SUBSTRING (password from 21 for 16) END) AS salt FROM galaxy_user WHERE email='%U'" We have executed the LookupGalaxyUser and GetUserSalt commands manually, and the results look good. Now, old users can login via ftp, but for a new user, the authentication still fails: 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: >>> cmd_check 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using SQLAuthType 'sha1' 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: 'sha1' SQLAuthType handler reports failure 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using SQLAuthType 'pbkdf2' 2013-07-26 13:15:06,993 mod_sql/4.3[31761]: 'pbkdf2' SQLAuthType handler reports failure What are we missing? Thanks! Rob and Leon -- Hailiang (Leon) Mei Netherlands Bioinformatics Center BioAssist NGS Taskforce - http://ngs.nbic.nl<https://wiki.nbic.nl/index.php/Next_Generation_Sequencing> Skype: leon_mei Mobile: +31 6 41709231
On Jul 26, 2013, at 3:51 PM, Leon Mei wrote:
Dear galaxy developers,
We have tried today to upgrade our proftpd configuration to make uploading for our galaxy users possible again, both for users with "old" as well as "new" style hashed passwords. We upgraded proftpd on the server to 1.3.5rc3 and have the following SQL part in our configuration file based on the post of http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295....
SQLEngine on SQLLogFile /var/log/proftpd-sql.log SQLBackend postgres SQLConnectInfo galaxy@localhost:5840 galaxyftp <[ourpassword]> SQLAuthTypes SHA1 SHA256 PBKDF2 SQLPasswordPBKDF2 SHA256 1000 24 SQLPasswordUserSalt sql:/GetUserSalt SQLAuthenticate users SQLDefaultUID 108 SQLDefaultGID 116 SQLDefaultHomedir /opt/cloudman/pkg/proftpd/var SQLUserInfo custom:/LookupGalaxyUser SQLNamedQuery LookupGalaxyUser SELECT "email, (CASE WHEN substring(password from 1 for 6) = 'PBKDF2' THEN substring(password from 38 for 32) ELSE password END) AS password2,'108','116','/mnt/galaxyData/tmp/ftp/%U','/bin/bash' FROM galaxy_user WHERE email='%U'" SQLNamedQuery GetUserSalt SELECT "(CASE WHEN SUBSTRING (password from 1 for 6) = 'PBKDF2' THEN SUBSTRING (password from 21 for 16) END) AS salt FROM galaxy_user WHERE email='%U'"
We have executed the LookupGalaxyUser and GetUserSalt commands manually, and the results look good. Now, old users can login via ftp, but for a new user, the authentication still fails:
2013-07-26 13:15:06,989 mod_sql/4.3[31761]: >>> cmd_check 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using SQLAuthType 'sha1' 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: 'sha1' SQLAuthType handler reports failure 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using SQLAuthType 'pbkdf2' 2013-07-26 13:15:06,993 mod_sql/4.3[31761]: 'pbkdf2' SQLAuthType handler reports failure
What are we missing?
Thanks!
Rob and Leon
Hallo Leon and Rob, Thanks for working on this, when I'd looked a couple months ago I could not find an entirely-ProFTPD way to do this. I think it may have actually come about because I asked about it on their IRC channel. ;) This may work if you change SQLPasswordPBKDF2: SQLPasswordPBKDF2 SHA256 10000 24 It'd be great if ProFTPD also supported pulling those values dynamically from the database, but Galaxy's PBKDF2 code currently has them hardcoded, so they will be static anyway. --nate
-- Hailiang (Leon) Mei Netherlands Bioinformatics Center BioAssist NGS Taskforce - http://ngs.nbic.nl Skype: leon_mei Mobile: +31 6 41709231 ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
Hi Nate, Thanks for the suggestion! Unfortunately, it still failed :( I got the following error message in proftp log: 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: entering postgres cmd_escapestring 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: entering postgres cmd_open 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count is now 2 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_open 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: entering postgres cmd_close 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count is now 1 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_close 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_escapestring 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: cache hit for user ' hailiang.mei1@nbic.nl' 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: >>> cmd_check 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: checking password using SQLAuthType 'sha1' 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha1' SQLAuthType handler reports failure 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using SQLAuthType 'sha256' 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha256' SQLAuthType handler reports failure 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using SQLAuthType 'pbkdf2' 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: 'pbkdf2' SQLAuthType handler reports failure 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_check 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_auth The old user account generated before our code update still works. I wonder how it is configured at the Galaxy main server? Thanks, Leon On Thu, Aug 8, 2013 at 8:45 PM, Nate Coraor <nate@bx.psu.edu> wrote:
On Jul 26, 2013, at 3:51 PM, Leon Mei wrote:
Dear galaxy developers,
We have tried today to upgrade our proftpd configuration to make uploading for our galaxy users possible again, both for users with "old" as well as "new" style hashed passwords. We upgraded proftpd on the server to 1.3.5rc3 and have the following SQL part in our configuration file based on the post of http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295....
SQLEngine on SQLLogFile /var/log/proftpd-sql.log SQLBackend postgres SQLConnectInfo galaxy@localhost:5840 galaxyftp <[ourpassword]> SQLAuthTypes SHA1 SHA256 PBKDF2 SQLPasswordPBKDF2 SHA256 1000 24 SQLPasswordUserSalt sql:/GetUserSalt SQLAuthenticate users SQLDefaultUID 108 SQLDefaultGID 116 SQLDefaultHomedir /opt/cloudman/pkg/proftpd/var SQLUserInfo custom:/LookupGalaxyUser SQLNamedQuery LookupGalaxyUser SELECT "email, (CASE WHEN substring(password from 1 for 6) = 'PBKDF2' THEN substring(password from 38 for 32) ELSE password END) AS password2,'108','116','/mnt/galaxyData/tmp/ftp/%U','/bin/bash' FROM galaxy_user WHERE email='%U'" SQLNamedQuery GetUserSalt SELECT "(CASE WHEN SUBSTRING (password from 1 for 6) = 'PBKDF2' THEN SUBSTRING (password from 21 for 16) END) AS salt FROM galaxy_user WHERE email='%U'"
We have executed the LookupGalaxyUser and GetUserSalt commands manually, and the results look good. Now, old users can login via ftp, but for a new user, the authentication still fails:
2013-07-26 13:15:06,989 mod_sql/4.3[31761]: >>> cmd_check 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using SQLAuthType 'sha1' 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: 'sha1' SQLAuthType handler reports failure 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using SQLAuthType 'pbkdf2' 2013-07-26 13:15:06,993 mod_sql/4.3[31761]: 'pbkdf2' SQLAuthType handler reports failure
What are we missing?
Thanks!
Rob and Leon
Hallo Leon and Rob,
Thanks for working on this, when I'd looked a couple months ago I could not find an entirely-ProFTPD way to do this. I think it may have actually come about because I asked about it on their IRC channel. ;)
This may work if you change SQLPasswordPBKDF2:
SQLPasswordPBKDF2 SHA256 10000 24
It'd be great if ProFTPD also supported pulling those values dynamically from the database, but Galaxy's PBKDF2 code currently has them hardcoded, so they will be static anyway.
--nate
-- Hailiang (Leon) Mei Netherlands Bioinformatics Center BioAssist NGS Taskforce - http://ngs.nbic.nl Skype: leon_mei Mobile: +31 6 41709231 ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
-- Hailiang (Leon) Mei Netherlands Bioinformatics Center BioAssist NGS Taskforce - http://ngs.nbic.nl<https://wiki.nbic.nl/index.php/Next_Generation_Sequencing> Skype: leon_mei Mobile: +31 6 41709231
On Aug 9, 2013, at 2:38 AM, Leon Mei wrote:
Hi Nate,
Thanks for the suggestion! Unfortunately, it still failed :(
I got the following error message in proftp log:
2013-08-09 08:32:41,777 mod_sql/4.3[32384]: entering postgres cmd_escapestring 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: entering postgres cmd_open 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count is now 2 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_open 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: entering postgres cmd_close 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count is now 1 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_close 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_escapestring 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: cache hit for user 'hailiang.mei1@nbic.nl' 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: >>> cmd_check 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: checking password using SQLAuthType 'sha1' 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha1' SQLAuthType handler reports failure 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using SQLAuthType 'sha256' 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha256' SQLAuthType handler reports failure 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using SQLAuthType 'pbkdf2' 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: 'pbkdf2' SQLAuthType handler reports failure 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_check 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_auth
The old user account generated before our code update still works.
I wonder how it is configured at the Galaxy main server?
Thanks, Leon
It isn't in use on the Main server, but now that I'm aware that ProFTPD has PBKDF2 support, I will put this on my to-do list for next week to test. --nate
On Thu, Aug 8, 2013 at 8:45 PM, Nate Coraor <nate@bx.psu.edu> wrote: On Jul 26, 2013, at 3:51 PM, Leon Mei wrote:
Dear galaxy developers,
We have tried today to upgrade our proftpd configuration to make uploading for our galaxy users possible again, both for users with "old" as well as "new" style hashed passwords. We upgraded proftpd on the server to 1.3.5rc3 and have the following SQL part in our configuration file based on the post of http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295....
SQLEngine on SQLLogFile /var/log/proftpd-sql.log SQLBackend postgres SQLConnectInfo galaxy@localhost:5840 galaxyftp <[ourpassword]> SQLAuthTypes SHA1 SHA256 PBKDF2 SQLPasswordPBKDF2 SHA256 1000 24 SQLPasswordUserSalt sql:/GetUserSalt SQLAuthenticate users SQLDefaultUID 108 SQLDefaultGID 116 SQLDefaultHomedir /opt/cloudman/pkg/proftpd/var SQLUserInfo custom:/LookupGalaxyUser SQLNamedQuery LookupGalaxyUser SELECT "email, (CASE WHEN substring(password from 1 for 6) = 'PBKDF2' THEN substring(password from 38 for 32) ELSE password END) AS password2,'108','116','/mnt/galaxyData/tmp/ftp/%U','/bin/bash' FROM galaxy_user WHERE email='%U'" SQLNamedQuery GetUserSalt SELECT "(CASE WHEN SUBSTRING (password from 1 for 6) = 'PBKDF2' THEN SUBSTRING (password from 21 for 16) END) AS salt FROM galaxy_user WHERE email='%U'"
We have executed the LookupGalaxyUser and GetUserSalt commands manually, and the results look good. Now, old users can login via ftp, but for a new user, the authentication still fails:
2013-07-26 13:15:06,989 mod_sql/4.3[31761]: >>> cmd_check 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using SQLAuthType 'sha1' 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: 'sha1' SQLAuthType handler reports failure 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using SQLAuthType 'pbkdf2' 2013-07-26 13:15:06,993 mod_sql/4.3[31761]: 'pbkdf2' SQLAuthType handler reports failure
What are we missing?
Thanks!
Rob and Leon
Hallo Leon and Rob,
Thanks for working on this, when I'd looked a couple months ago I could not find an entirely-ProFTPD way to do this. I think it may have actually come about because I asked about it on their IRC channel. ;)
This may work if you change SQLPasswordPBKDF2:
SQLPasswordPBKDF2 SHA256 10000 24
It'd be great if ProFTPD also supported pulling those values dynamically from the database, but Galaxy's PBKDF2 code currently has them hardcoded, so they will be static anyway.
--nate
-- Hailiang (Leon) Mei Netherlands Bioinformatics Center BioAssist NGS Taskforce - http://ngs.nbic.nl Skype: leon_mei Mobile: +31 6 41709231 ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
-- Hailiang (Leon) Mei Netherlands Bioinformatics Center BioAssist NGS Taskforce - http://ngs.nbic.nl Skype: leon_mei Mobile: +31 6 41709231
For the moment, the best solution is to disable PBKDF2 in Galaxy if you are also using FTP. That is how Galaxy main is currently configured. -- James Taylor, Assistant Professor, Biology/CS, Emory University On Fri, Aug 9, 2013 at 10:01 AM, Nate Coraor <nate@bx.psu.edu> wrote:
On Aug 9, 2013, at 2:38 AM, Leon Mei wrote:
Hi Nate,
Thanks for the suggestion! Unfortunately, it still failed :(
I got the following error message in proftp log:
2013-08-09 08:32:41,777 mod_sql/4.3[32384]: entering postgres cmd_escapestring 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: entering postgres cmd_open 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count is now 2 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_open 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: entering postgres cmd_close 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count is now 1 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_close 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_escapestring 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: cache hit for user 'hailiang.mei1@nbic.nl' 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: >>> cmd_check 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: checking password using SQLAuthType 'sha1' 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha1' SQLAuthType handler reports failure 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using SQLAuthType 'sha256' 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha256' SQLAuthType handler reports failure 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using SQLAuthType 'pbkdf2' 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: 'pbkdf2' SQLAuthType handler reports failure 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_check 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_auth
The old user account generated before our code update still works.
I wonder how it is configured at the Galaxy main server?
Thanks, Leon
It isn't in use on the Main server, but now that I'm aware that ProFTPD has PBKDF2 support, I will put this on my to-do list for next week to test.
--nate
On Thu, Aug 8, 2013 at 8:45 PM, Nate Coraor <nate@bx.psu.edu> wrote: On Jul 26, 2013, at 3:51 PM, Leon Mei wrote:
Dear galaxy developers,
We have tried today to upgrade our proftpd configuration to make uploading for our galaxy users possible again, both for users with "old" as well as "new" style hashed passwords. We upgraded proftpd on the server to 1.3.5rc3 and have the following SQL part in our configuration file based on the post of http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295....
SQLEngine on SQLLogFile /var/log/proftpd-sql.log SQLBackend postgres SQLConnectInfo galaxy@localhost:5840 galaxyftp <[ourpassword]> SQLAuthTypes SHA1 SHA256 PBKDF2 SQLPasswordPBKDF2 SHA256 1000 24 SQLPasswordUserSalt sql:/GetUserSalt SQLAuthenticate users SQLDefaultUID 108 SQLDefaultGID 116 SQLDefaultHomedir /opt/cloudman/pkg/proftpd/var SQLUserInfo custom:/LookupGalaxyUser SQLNamedQuery LookupGalaxyUser SELECT "email, (CASE WHEN substring(password from 1 for 6) = 'PBKDF2' THEN substring(password from 38 for 32) ELSE password END) AS password2,'108','116','/mnt/galaxyData/tmp/ftp/%U','/bin/bash' FROM galaxy_user WHERE email='%U'" SQLNamedQuery GetUserSalt SELECT "(CASE WHEN SUBSTRING (password from 1 for 6) = 'PBKDF2' THEN SUBSTRING (password from 21 for 16) END) AS salt FROM galaxy_user WHERE email='%U'"
We have executed the LookupGalaxyUser and GetUserSalt commands manually, and the results look good. Now, old users can login via ftp, but for a new user, the authentication still fails:
2013-07-26 13:15:06,989 mod_sql/4.3[31761]: >>> cmd_check 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using SQLAuthType 'sha1' 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: 'sha1' SQLAuthType handler reports failure 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using SQLAuthType 'pbkdf2' 2013-07-26 13:15:06,993 mod_sql/4.3[31761]: 'pbkdf2' SQLAuthType handler reports failure
What are we missing?
Thanks!
Rob and Leon
Hallo Leon and Rob,
Thanks for working on this, when I'd looked a couple months ago I could not find an entirely-ProFTPD way to do this. I think it may have actually come about because I asked about it on their IRC channel. ;)
This may work if you change SQLPasswordPBKDF2:
SQLPasswordPBKDF2 SHA256 10000 24
It'd be great if ProFTPD also supported pulling those values dynamically from the database, but Galaxy's PBKDF2 code currently has them hardcoded, so they will be static anyway.
--nate
-- Hailiang (Leon) Mei Netherlands Bioinformatics Center BioAssist NGS Taskforce - http://ngs.nbic.nl Skype: leon_mei Mobile: +31 6 41709231 ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
-- Hailiang (Leon) Mei Netherlands Bioinformatics Center BioAssist NGS Taskforce - http://ngs.nbic.nl Skype: leon_mei Mobile: +31 6 41709231
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
Hi Nate/James, Thanks! Where should I look into to disable PBKDF2 in the Galaxy code? Cheers, Leon On Fri, Aug 9, 2013 at 4:28 PM, James Taylor <james@jamestaylor.org> wrote:
For the moment, the best solution is to disable PBKDF2 in Galaxy if you are also using FTP. That is how Galaxy main is currently configured.
-- James Taylor, Assistant Professor, Biology/CS, Emory University
On Aug 9, 2013, at 2:38 AM, Leon Mei wrote:
Hi Nate,
Thanks for the suggestion! Unfortunately, it still failed :(
I got the following error message in proftp log:
2013-08-09 08:32:41,777 mod_sql/4.3[32384]: entering postgres cmd_escapestring 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: entering postgres cmd_open 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count is now 2 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_open 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: entering postgres cmd_close 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: connection 'default' count is now 1 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_close 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: exiting postgres cmd_escapestring 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: cache hit for user ' hailiang.mei1@nbic.nl' 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: >>> cmd_check 2013-08-09 08:32:41,777 mod_sql/4.3[32384]: checking password using SQLAuthType 'sha1' 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha1' SQLAuthType handler reports failure 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using SQLAuthType 'sha256' 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: 'sha256' SQLAuthType handler reports failure 2013-08-09 08:32:41,781 mod_sql/4.3[32384]: checking password using SQLAuthType 'pbkdf2' 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: 'pbkdf2' SQLAuthType handler reports failure 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_check 2013-08-09 08:32:41,841 mod_sql/4.3[32384]: <<< cmd_auth
The old user account generated before our code update still works.
I wonder how it is configured at the Galaxy main server?
Thanks, Leon
It isn't in use on the Main server, but now that I'm aware that ProFTPD has PBKDF2 support, I will put this on my to-do list for next week to test.
--nate
On Thu, Aug 8, 2013 at 8:45 PM, Nate Coraor <nate@bx.psu.edu> wrote: On Jul 26, 2013, at 3:51 PM, Leon Mei wrote:
Dear galaxy developers,
We have tried today to upgrade our proftpd configuration to make
uploading for our galaxy users possible again, both for users with "old" as well as "new" style hashed passwords. We upgraded proftpd on the server to 1.3.5rc3 and have the following SQL part in our configuration file based on
SQLEngine on SQLLogFile /var/log/proftpd-sql.log SQLBackend postgres SQLConnectInfo galaxy@localhost:5840 galaxyftp
<[ourpassword]>
SQLAuthTypes SHA1 SHA256 PBKDF2 SQLPasswordPBKDF2 SHA256 1000 24 SQLPasswordUserSalt sql:/GetUserSalt SQLAuthenticate users SQLDefaultUID 108 SQLDefaultGID 116 SQLDefaultHomedir /opt/cloudman/pkg/proftpd/var SQLUserInfo custom:/LookupGalaxyUser SQLNamedQuery LookupGalaxyUser SELECT "email, (CASE WHEN substring(password from 1 for 6) = 'PBKDF2' THEN substring(password from 38 for 32) ELSE password END) AS
On Fri, Aug 9, 2013 at 10:01 AM, Nate Coraor <nate@bx.psu.edu> wrote: the post of http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295.... password2,'108','116','/mnt/galaxyData/tmp/ftp/%U','/bin/bash' FROM galaxy_user WHERE email='%U'"
SQLNamedQuery GetUserSalt SELECT "(CASE WHEN SUBSTRING (password from 1 for 6) = 'PBKDF2' THEN SUBSTRING (password from 21 for 16) END) AS salt FROM galaxy_user WHERE email='%U'"
We have executed the LookupGalaxyUser and GetUserSalt commands manually, and the results look good. Now, old users can login via ftp, but for a new user, the authentication still fails:
2013-07-26 13:15:06,989 mod_sql/4.3[31761]: >>> cmd_check 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using SQLAuthType 'sha1' 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: 'sha1' SQLAuthType handler reports failure 2013-07-26 13:15:06,989 mod_sql/4.3[31761]: checking password using SQLAuthType 'pbkdf2' 2013-07-26 13:15:06,993 mod_sql/4.3[31761]: 'pbkdf2' SQLAuthType handler reports failure
What are we missing?
Thanks!
Rob and Leon
Hallo Leon and Rob,
Thanks for working on this, when I'd looked a couple months ago I could not find an entirely-ProFTPD way to do this. I think it may have actually come about because I asked about it on their IRC channel. ;)
This may work if you change SQLPasswordPBKDF2:
SQLPasswordPBKDF2 SHA256 10000 24
It'd be great if ProFTPD also supported pulling those values dynamically from the database, but Galaxy's PBKDF2 code currently has them hardcoded, so they will be static anyway.
--nate
-- Hailiang (Leon) Mei Netherlands Bioinformatics Center BioAssist NGS Taskforce - http://ngs.nbic.nl Skype: leon_mei Mobile: +31 6 41709231 ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
-- Hailiang (Leon) Mei Netherlands Bioinformatics Center BioAssist NGS Taskforce - http://ngs.nbic.nl Skype: leon_mei Mobile: +31 6 41709231
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
-- Hailiang (Leon) Mei Netherlands Bioinformatics Center BioAssist NGS Taskforce - http://ngs.nbic.nl<https://wiki.nbic.nl/index.php/Next_Generation_Sequencing> Skype: leon_mei Mobile: +31 6 41709231
participants (3)
-
James Taylor -
Leon Mei -
Nate Coraor