ProFFTPd-1.3.4d no longer able to authenticate users from Postgresql database
I was able to query my Postgresql Db for user authentication at one time. I deleted and then rebuilt the postgresql DB and rebuilt the entire Galaxy instance in early December. Since then I cannot get ProFFTPd-1.3.4d to authenticate users from Postgresql database. At that time my existing universe_wsgi.ini I changed the following from postgres to postgresql #database_connection = postgres://galaxy:Galaxy2013@localhost:5434/galaxy_prod database_connection = postgresql://galaxy:galaxy2013@localhost:5434/galaxy_prod What ftp interaction behavior changes were included in this database_connectio method renaming? (And how can I fix them?) My Galaxy users can login to Galaxy just fine and execute programs if I manually load files into the designated FTP dir and then move these to database/files . Screen session from interactive test mode FTP session opened. dispatching PRE_CMD command 'USER [valid email]' to mod_core . . . dispatching CMD command 'PASS (hidden)' to mod_auth no supplemental groups found for user '[valid email]' ROOT PRIVS at mod_auth_pam.c:338 RELINQUISH PRIVS at mod_auth_pam.c:508 mod_sql_passwd/0.4: expected 'PBKDF2$sha256$10000$1xxxxxxxxxx',got Œyyyyyy¹ I am not using either PBKDF2 or sha256 see below why are these prefixes appended? Xxx and yyyy are NOT the same alphanumeric strings SQLLogFile.txt excerpt: Jan 06 17:27:49 mod_sql/4.3[29179]: query "SELECT email,password,' <mailto:'irish@musc.edu>[valid email]','{UNKNOWN TAG}',¹/PATH/galaxy-dist/database/files/ <mailto:'/shared/app/Galaxy/galaxy-dist/database/files/irish@musc.edu>[vali d email]','/bin/ bash' FROM galaxy_user WHERE email=' <mailto:email='irish@musc.edu>[valid email]'" Jan 06 17:27:49 mod_sql/4.3[29179]: entering postgres cmd_close Jan 06 17:27:49 mod_sql/4.3[29179]: connection 'default' count is now 1 Jan 06 17:27:49 mod_sql/4.3[29179]: exiting postgres cmd_close Jan 06 17:27:49 mod_sql/4.3[29179]: exiting postgres cmd_select Jan 06 17:27:49 mod_sql/4.3[29179]: <<< process_named_query 'LookupGalaxyUser' Jan 06 17:27:49 mod_sql/4.3[29179]: <<< sql_lookup Jan 06 17:27:49 mod_sql/4.3[29179]: user UID 0 below SQLMinUserUID 999, using SQLDefaultUID 65533 Jan 06 17:27:49 mod_sql/4.3[29179]: user GID 0 below SQLMinUserGID 999, using SQLDefaultGID 65533 Jan 06 17:27:49 mod_sql/4.3[29179]: cache miss for user ' <mailto:'irish@musc.edu>[valid email]' Jan 06 17:27:49 mod_sql/4.3[29179]: user ' <mailto:'irish@musc.edu>[valid email]' cached Jan 06 17:27:49 mod_sql/4.3[29179]: + pwd.pw_name : [valid email] Jan 06 17:27:49 mod_sql/4.3[29179]: + pwd.pw_uid : 65533 Jan 06 17:27:49 mod_sql/4.3[29179]: + pwd.pw_gid : 65533 Jan 06 17:27:49 mod_sql/4.3[29179]: + pwd.pw_dir : /PATH/galaxy-dist/database/files/ <mailto:/shared/app/Galaxy/galaxy-dist/database/files/irish@musc.edu>[valid email] Jan 06 17:27:49 mod_sql/4.3[29179]: + pwd.pw_shell : /bin/bash Jan 06 17:27:49 mod_sql/4.3[29179]: <<< cmd_getpwnam Jan 06 17:27:49 mod_sql/4.3[29179]: >>> cmd_auth Jan 06 17:27:49 mod_sql/4.3[29179]: entering postgres cmd_escapestring Jan 06 17:27:49 mod_sql/4.3[29179]: entering postgres cmd_open Jan 06 17:27:49 mod_sql/4.3[29179]: connection 'default' count is now 2 Jan 06 17:27:49 mod_sql/4.3[29179]: exiting postgres cmd_open Jan 06 17:27:49 mod_sql/4.3[29179]: entering postgres cmd_close Jan 06 17:27:49 mod_sql/4.3[29179]: connection 'default' count is now 1 Jan 06 17:27:49 mod_sql/4.3[29179]: exiting postgres cmd_close Jan 06 17:27:49 mod_sql/4.3[29179]: exiting postgres cmd_escapestring Jan 06 17:27:49 mod_sql/4.3[29179]: cache hit for user '[valid email]' Jan 06 17:27:49 mod_sql/4.3[29179]: >>> cmd_check Jan 06 17:27:49 mod_sql/4.3[29179]: checking password using SQLAuthType 'sha1' Jan 06 17:27:49 mod_sql/4.3[29179]: 'sha1' SQLAuthType handler reports failure ProFTPd conf file excerpt: (based on https://wiki.galaxyproject.org/Admin/Config/Upload%20via%20FTP) # Set up mod_sql_password - Galaxy passwords are stored as hex-encoded SHA1 SQLPasswordEngine on SQLPasswordEncoding hex # Set up SQLLogfile SQLLogFile /PATH/ProFFTPd-1.3.4d/etc/SQLLogFile.txt # Set up mod_sql to authenticate against the Galaxy database SQLEngine on SQLBackend postgres SQLConnectInfo galaxy_prod@:5xxx galaxy galpwd # port and password are changed here; they are correct in the working files. SQLAuthTypes SHA1 SQLAuthenticate users # An empty directory in case chroot fails SQLDefaultHomedir /shared/app/ProFFTPd-1.3.4d/default # Define a custom query for lookup that returns a passwd-like entry. UID and GID should match your Galaxy user. SQLUserInfo custom:/LookupGalaxyUser SQLNamedQuery LookupGalaxyUser SELECT "email,password,¹1233¹,'1234',¹/PATH/galaxy-dist/database/files/%U ','/bin/bash' FROM galaxy_user WHERE email='%U'"
'PBKDF2$sha256$10000$1xxxxxxxxxx',got Œyyyyyy¹
I am not using either PBKDF2 or sha256 see below why are these prefixes appended? Xxx and yyyy are NOT the same alphanumeric strings
Are you sure? Unless you speficically disable it Galaxy now uses PBKDF2 + SHA256 by default. I'm not sure if anybody has managed to get it working with proftp (though the support is there and it should be possible). The easy solution is to disable using PBKDF2 in universe_wsgi.ini. On Wed, Jan 8, 2014 at 4:56 PM, Hazard, E. Starr <hazards@musc.edu> wrote:
I was able to query my Postgresql Db for user authentication at one time. I deleted and then rebuilt the postgresql DB and rebuilt the entire Galaxy instance in early December. Since then I cannot get ProFFTPd-1.3.4d to authenticate users from Postgresql database. At that time my existing universe_wsgi.ini
I changed the following from postgres to postgresql
#database_connection = postgres://galaxy:Galaxy2013@localhost:5434/galaxy_prod database_connection = postgresql://galaxy:galaxy2013@localhost:5434/galaxy_prod
What ftp interaction behavior changes were included in this database_connectio method renaming? (And how can I fix them?)
My Galaxy users can login to Galaxy just fine and execute programs if I manually load files into the designated FTP dir and then move these to database/files .
Screen session from interactive test mode FTP session opened. dispatching PRE_CMD command 'USER [valid email]' to mod_core . . . dispatching CMD command 'PASS (hidden)' to mod_auth no supplemental groups found for user '[valid email]' ROOT PRIVS at mod_auth_pam.c:338 RELINQUISH PRIVS at mod_auth_pam.c:508 mod_sql_passwd/0.4: expected 'PBKDF2$sha256$10000$1xxxxxxxxxx',got Œyyyyyy¹
I am not using either PBKDF2 or sha256 see below why are these prefixes appended? Xxx and yyyy are NOT the same alphanumeric strings
SQLLogFile.txt excerpt:
Jan 06 17:27:49 mod_sql/4.3[29179]: query "SELECT email,password,' <mailto:'irish@musc.edu>[valid email]','{UNKNOWN TAG}',¹/PATH/galaxy-dist/database/files/ <mailto:'/shared/app/Galaxy/galaxy-dist/database/files/irish@musc.edu>[vali d email]','/bin/ bash' FROM galaxy_user WHERE email=' <mailto:email='irish@musc.edu>[valid email]'" Jan 06 17:27:49 mod_sql/4.3[29179]: entering postgres cmd_close Jan 06 17:27:49 mod_sql/4.3[29179]: connection 'default' count is now 1 Jan 06 17:27:49 mod_sql/4.3[29179]: exiting postgres cmd_close Jan 06 17:27:49 mod_sql/4.3[29179]: exiting postgres cmd_select Jan 06 17:27:49 mod_sql/4.3[29179]: <<< process_named_query 'LookupGalaxyUser' Jan 06 17:27:49 mod_sql/4.3[29179]: <<< sql_lookup Jan 06 17:27:49 mod_sql/4.3[29179]: user UID 0 below SQLMinUserUID 999, using SQLDefaultUID 65533 Jan 06 17:27:49 mod_sql/4.3[29179]: user GID 0 below SQLMinUserGID 999, using SQLDefaultGID 65533 Jan 06 17:27:49 mod_sql/4.3[29179]: cache miss for user ' <mailto:'irish@musc.edu>[valid email]' Jan 06 17:27:49 mod_sql/4.3[29179]: user ' <mailto:'irish@musc.edu>[valid email]' cached Jan 06 17:27:49 mod_sql/4.3[29179]: + pwd.pw_name : [valid email] Jan 06 17:27:49 mod_sql/4.3[29179]: + pwd.pw_uid : 65533 Jan 06 17:27:49 mod_sql/4.3[29179]: + pwd.pw_gid : 65533 Jan 06 17:27:49 mod_sql/4.3[29179]: + pwd.pw_dir : /PATH/galaxy-dist/database/files/ <mailto:/shared/app/Galaxy/galaxy-dist/database/files/irish@musc.edu>[valid email] Jan 06 17:27:49 mod_sql/4.3[29179]: + pwd.pw_shell : /bin/bash Jan 06 17:27:49 mod_sql/4.3[29179]: <<< cmd_getpwnam Jan 06 17:27:49 mod_sql/4.3[29179]: >>> cmd_auth Jan 06 17:27:49 mod_sql/4.3[29179]: entering postgres cmd_escapestring Jan 06 17:27:49 mod_sql/4.3[29179]: entering postgres cmd_open Jan 06 17:27:49 mod_sql/4.3[29179]: connection 'default' count is now 2 Jan 06 17:27:49 mod_sql/4.3[29179]: exiting postgres cmd_open Jan 06 17:27:49 mod_sql/4.3[29179]: entering postgres cmd_close Jan 06 17:27:49 mod_sql/4.3[29179]: connection 'default' count is now 1 Jan 06 17:27:49 mod_sql/4.3[29179]: exiting postgres cmd_close Jan 06 17:27:49 mod_sql/4.3[29179]: exiting postgres cmd_escapestring Jan 06 17:27:49 mod_sql/4.3[29179]: cache hit for user '[valid email]' Jan 06 17:27:49 mod_sql/4.3[29179]: >>> cmd_check Jan 06 17:27:49 mod_sql/4.3[29179]: checking password using SQLAuthType 'sha1' Jan 06 17:27:49 mod_sql/4.3[29179]: 'sha1' SQLAuthType handler reports failure
ProFTPd conf file excerpt:
(based on https://wiki.galaxyproject.org/Admin/Config/Upload%20via%20FTP)
# Set up mod_sql_password - Galaxy passwords are stored as hex-encoded SHA1 SQLPasswordEngine on SQLPasswordEncoding hex
# Set up SQLLogfile SQLLogFile /PATH/ProFFTPd-1.3.4d/etc/SQLLogFile.txt
# Set up mod_sql to authenticate against the Galaxy database SQLEngine on SQLBackend postgres SQLConnectInfo galaxy_prod@:5xxx galaxy galpwd # port and password are changed here; they are correct in the working files. SQLAuthTypes SHA1 SQLAuthenticate users
# An empty directory in case chroot fails SQLDefaultHomedir /shared/app/ProFFTPd-1.3.4d/default
# Define a custom query for lookup that returns a passwd-like entry. UID and GID should match your Galaxy user. SQLUserInfo custom:/LookupGalaxyUser SQLNamedQuery LookupGalaxyUser SELECT "email,password,¹1233¹,'1234',¹/PATH/galaxy-dist/database/files/%U ','/bin/bash' FROM galaxy_user WHERE email='%U'"
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
Well when I declare SQLAuthTypes SHA1 SHA256 PBKDF2 SQLPasswordPBKDF2 SHA256 10000 24 (per I get this response /shared/app/ProFFTPd-1.3.4d/sbin/proftpd -d9 -n hpcc3 proftpd[31522]: using TCP receive buffer size of 87380 bytes hpcc3 proftpd[31522]: using TCP send buffer size of 16384 bytes hpcc3 proftpd[31522]: mod_sql_passwd/0.4: registered 'md5' SQLAuthType handler hpcc3 proftpd[31522]: mod_sql_passwd/0.4: registered 'sha1' SQLAuthType handler hpcc3 proftpd[31522]: mod_sql_passwd/0.4: registered 'sha256' SQLAuthType handler hpcc3 proftpd[31522]: mod_sql_passwd/0.4: registered 'sha512' SQLAuthType handler hpcc3 proftpd[31522]: disabling runtime support for IPv6 connections hpcc3 proftpd[31522]: Fatal: SQLAuthTypes: unknown SQLAuthType 'PBKDF2' on line 106 of '/shared/app/ProFFTPd-1.3.4d/etc/proftpd.conf¹ SO ProFTPd-1.3.4d does not do PBKDF2 Just saw this post http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295 .html Will move to the release candidate version of ProFTPD And try that THANKS for responding Starr On 1/8/14, 5:05 PM, "James Taylor" <james@jamestaylor.org> wrote:
PBKDF2
So I tried a new version of ProFTPd I was not able to locate lines in universe_wsgi.ini which disable PBKDF2 Lines from SQLLogFile.txt 2014-01-21 18:09:33,191 mod_sql/4.3[2275]: checking password using SQLAuthType 'sha1' 2014-01-21 18:09:33,191 mod_sql/4.3[2275]: 'sha1' SQLAuthType handler reports failure 2014-01-21 18:09:33,191 mod_sql/4.3[2275]: checking password using SQLAuthType 'sha256' 2014-01-21 18:09:33,191 mod_sql/4.3[2275]: 'sha256' SQLAuthType handler reports failure 2014-01-21 18:09:33,191 mod_sql/4.3[2275]: checking password using SQLAuthType 'pbkdf2' 2014-01-21 18:09:33,193 mod_sql/4.3[2275]: 'pbkdf2' SQLAuthType handler reports failure 2014-01-21 18:09:33,193 mod_sql/4.3[2275]: <<< cmd_check 2014-01-21 18:09:33,193 mod_sql/4.3[2275]: <<< cmd_auth 2014-01-21 18:13:54,383 mod_sql/4.3[2275]: entering postgres cmd_exit Proftpd.conf # Set up mod_sql to authenticate against the Galaxy database SQLEngine on SQLBackend postgres SQLConnectInfo galaxy_prod@:1234 user password SQLAuthTypes SHA1 SHA256 PBKDF2 SQLPasswordPBKDF2 SHA256 1000 24 SQLAuthenticate users Launch interactive session to test /ProFTPd-1.3.5rc3/sbin/proftpd -d9 -n Std_Out shows: opening scoreboard '/shared/app/ProFTPd-1.3.5rc3/var/proftpd.scoreboard' RELINQUISH PRIVS at mod_auth.c:132 connected - local : ::ffff:128.23.191.200:21 connected - remote : 128.23.163.166:54865 FTP session opened. dispatching PRE_CMD command 'USER galaxy@musc.edu' to mod_core dispatching PRE_CMD command 'USER galaxy@musc.edu' to mod_core dispatching PRE_CMD command 'USER galaxy@musc.edu' to mod_delay dispatching PRE_CMD command 'USER galaxy@musc.edu' to mod_auth dispatching CMD command 'USER galaxy@musc.edu' to mod_auth dispatching POST_CMD command 'USER galaxy@musc.edu' to mod_sql dispatching POST_CMD command 'USER galaxy@musc.edu' to mod_delay dispatching LOG_CMD command 'USER galaxy@musc.edu' to mod_sql dispatching LOG_CMD command 'USER galaxy@musc.edu' to mod_lo dispatching PRE_CMD command 'PASS (hidden)' to mod_core dispatching PRE_CMD command 'PASS (hidden)' to mod_core dispatching PRE_CMD command 'PASS (hidden)' to mod_sql_passwd dispatching PRE_CMD command 'PASS (hidden)' to mod_sql dispatching PRE_CMD command 'PASS (hidden)' to mod_delay dispatching PRE_CMD command 'PASS (hidden)' to mod_auth dispatching CMD command 'PASS (hidden)' to mod_auth no supplemental groups found for user 'galaxy@musc.edu' ROOT PRIVS at mod_auth_pam.c:338 RELINQUISH PRIVS at mod_auth_pam.c:508 mod_sql_passwd/0.6: expected 'PBKDF2$sha256$10000$vHKjTtvJsQSB2BuH$dGmwtBwxQ9yAz5kxzn9nF704PKeMnReV', got '1fd439fa1297e68426765a5c0b80a6ca4591888a' mod_sql_passwd/0.6: expected 'PBKDF2$sha256$10000$vHKjTtvJsQSB2BuH$dGmwtBwxQ9yAz5kxzn9nF704PKeMnReV', got '268f784ba4c2283244e9730500f2a8126c84169ef985a70313c16464358ecc5c' mod_sql_passwd/0.6: expected 'PBKDF2$sha256$10000$vHKjTtvJsQSB2BuH$dGmwtBwxQ9yAz5kxzn9nF704PKeMnReV', got '5f40c627d580e898f9742508c3aa0f0fbe87850e3b389ac1' USER galaxy@musc.edu (Login failed): No such user found. I upgraded to ProFTPd-1.3.5rc3 because v 1.3.4 could not authenticate users on my local Galaxy instance. I understood that Galaxy was using SHA1 SHA256 PBKDF2 authentication but the programs are not yet compatible I used a proftpd conf file based on http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295 .html I get the same problems when I use the following line in profited.conf SQLPasswordPBKDF2 SHA256 10000 24 Why am I seeing this mismatch? I tried to create a new user to see if the extant user accounts had somehow been left over from a previous build of the Galaxy user files, but the new user had the same issues. Puzzled Starr On 1/8/14, 5:26 PM, "Hazard, E. Starr" <hazards@musc.edu> wrote:
Well when I declare
SQLAuthTypes SHA1 SHA256 PBKDF2 SQLPasswordPBKDF2 SHA256 10000 24 (per
I get this response
/shared/app/ProFFTPd-1.3.4d/sbin/proftpd -d9 -n hpcc3 proftpd[31522]: using TCP receive buffer size of 87380 bytes hpcc3 proftpd[31522]: using TCP send buffer size of 16384 bytes hpcc3 proftpd[31522]: mod_sql_passwd/0.4: registered 'md5' SQLAuthType handler hpcc3 proftpd[31522]: mod_sql_passwd/0.4: registered 'sha1' SQLAuthType handler hpcc3 proftpd[31522]: mod_sql_passwd/0.4: registered 'sha256' SQLAuthType handler hpcc3 proftpd[31522]: mod_sql_passwd/0.4: registered 'sha512' SQLAuthType handler hpcc3 proftpd[31522]: disabling runtime support for IPv6 connections hpcc3 proftpd[31522]: Fatal: SQLAuthTypes: unknown SQLAuthType 'PBKDF2' on line 106 of '/shared/app/ProFFTPd-1.3.4d/etc/proftpd.conf¹
SO ProFTPd-1.3.4d does not do PBKDF2
Just saw this post
http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td466029 5 .html
Will move to the release candidate version of ProFTPD And try that
THANKS for responding
Starr
On 1/8/14, 5:05 PM, "James Taylor" <james@jamestaylor.org> wrote:
PBKDF2
participants (2)
-
Hazard, E. Starr -
James Taylor