pjbriggs · January 19, 2016 05:23 · martenson · Feb 12, 2015
diff --git a/proftpd.conf-extract b/proftpd.conf-extract
 ServerName			"Galaxy FTP File Upload"
 ServerType			standalone
 DefaultServer			on
 PidFile                         /var/run/proftpd/proftpd-galaxy.pid

 # Port 21 is the standard FTP port.
 Port				21

 # Don't use IPv6 support by default.
 UseIPv6				off

 # Umask 022 is a good standard umask to prevent new dirs and files
 # from being group and world writable.
 Umask				077

 # To prevent DoS attacks, set the maximum number of child processes
 # to 30.  If you need to allow more than 30 concurrent connections
 # at once, simply increase this value.  Note that this ONLY works
 # in standalone mode, in inetd mode you should use an inetd server
 # that allows you to limit maximum number of processes per service
 # (such as xinetd).
 MaxInstances			30

 # Set the user and group under which the server will run.
 User				nobody
 Group				nobody

 # To cause every FTP user to be "jailed" (chrooted) into their home
 # directory, uncomment this line.
 DefaultRoot ~

 # Automatically create home directory if it doesn't exist
 CreateHome                      on dirmode 700

 # Allow users to overwrite their files
 AllowOverwrite                  on

 # Allow users to resume interrupted uploads
 AllowStoreRestart               on

 # Bar use of SITE CHMOD by default
 <Limit SITE_CHMOD>
  DenyAll
 </Limit>

 # Bar use of RETR (download) since this is not a public file drop
 <Limit RETR>
  DenyAll
 </Limit>

 # Do not authenticate against real (system) users
 AuthPAM                         off

 # Set up mod_sql_password - Galaxy passwords are stored as hex-encoded SHA1
 SQLPasswordEngine               on

 # Set this if Galaxy user UID and/or GID are less than 999
 SQLMinID			400

 # Configuration that handles PBKDF2 encryption
 # Set up mod_sql to authenticate against the Galaxy database
 SQLEngine                       on
 SQLBackend                      postgres
 SQLConnectInfo                  galaxy_db@localhost:5432 <USERNAME> <PASSWORD>
 SQLAuthTypes			PBKDF2
 SQLPasswordPBKDF2		SHA256 10000 24 
 SQLPasswordEncoding             base64
 SQLAuthenticate                 users

 # For PBKDF2 authentication
 # See http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295.html
 SQLPasswordUserSalt sql:/GetUserSalt

 # Define a custom query for lookup that returns a passwd-like entry for PBKFD2
 #  UID and GID should match your Galaxy user.
 SQLUserInfo                     custom:/LookupGalaxyUser
 SQLNamedQuery			LookupGalaxyUser SELECT "email, (CASE WHEN substring(password from 1 for 6) = 'PBKDF2' THEN substring(password from 38 for 69) ELSE password END) AS password2,400,400,'/opt/galaxy/ftp_uploads/%U','/bin/bash' FROM galaxy_user WHERE email='%U'"

 # Define custom query to fetch the password salt
 SQLNamedQuery GetUserSalt SELECT "(CASE WHEN SUBSTRING (password from 1 for 6) = 'PBKDF2' THEN SUBSTRING (password from 21 for 16) END) AS salt FROM galaxy_user WHERE email='%U'"
	ServerName "Galaxy FTP File Upload"
	ServerType standalone
	DefaultServer on
	PidFile /var/run/proftpd/proftpd-galaxy.pid

	# Port 21 is the standard FTP port.
	Port 21

	# Don't use IPv6 support by default.
	UseIPv6 off

	# Umask 022 is a good standard umask to prevent new dirs and files
	# from being group and world writable.
	Umask 077

	# To prevent DoS attacks, set the maximum number of child processes
	# to 30. If you need to allow more than 30 concurrent connections
	# at once, simply increase this value. Note that this ONLY works
	# in standalone mode, in inetd mode you should use an inetd server
	# that allows you to limit maximum number of processes per service
	# (such as xinetd).
	MaxInstances 30

	# Set the user and group under which the server will run.
	User nobody
	Group nobody

	# To cause every FTP user to be "jailed" (chrooted) into their home
	# directory, uncomment this line.
	DefaultRoot ~

	# Automatically create home directory if it doesn't exist
	CreateHome on dirmode 700

	# Allow users to overwrite their files
	AllowOverwrite on

	# Allow users to resume interrupted uploads
	AllowStoreRestart on

	# Bar use of SITE CHMOD by default
	<Limit SITE_CHMOD>
	DenyAll
	</Limit>

	# Bar use of RETR (download) since this is not a public file drop
	<Limit RETR>
	DenyAll
	</Limit>

	# Do not authenticate against real (system) users
	AuthPAM off

	# Set up mod_sql_password - Galaxy passwords are stored as hex-encoded SHA1
	SQLPasswordEngine on

	# Set this if Galaxy user UID and/or GID are less than 999
	SQLMinID 400

	# Configuration that handles PBKDF2 encryption
	# Set up mod_sql to authenticate against the Galaxy database
	SQLEngine on
	SQLBackend postgres
	SQLConnectInfo galaxy_db@localhost:5432 <USERNAME> <PASSWORD>
	SQLAuthTypes PBKDF2
	SQLPasswordPBKDF2 SHA256 10000 24
	SQLPasswordEncoding base64
	SQLAuthenticate users

	# For PBKDF2 authentication
	# See http://dev.list.galaxyproject.org/ProFTPD-integration-with-Galaxy-td4660295.html
	SQLPasswordUserSalt sql:/GetUserSalt

	# Define a custom query for lookup that returns a passwd-like entry for PBKFD2
	# UID and GID should match your Galaxy user.
	SQLUserInfo custom:/LookupGalaxyUser
	SQLNamedQuery LookupGalaxyUser SELECT "email, (CASE WHEN substring(password from 1 for 6) = 'PBKDF2' THEN substring(password from 38 for 69) ELSE password END) AS password2,400,400,'/opt/galaxy/ftp_uploads/%U','/bin/bash' FROM galaxy_user WHERE email='%U'"

	# Define custom query to fetch the password salt
	SQLNamedQuery GetUserSalt SELECT "(CASE WHEN SUBSTRING (password from 1 for 6) = 'PBKDF2' THEN SUBSTRING (password from 21 for 16) END) AS salt FROM galaxy_user WHERE email='%U'"