From tep@SDSC.EDU Fri May 29 16:39:35 1998 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id QAA12665 for ; Fri, 29 May 1998 16:39:35 -0400 Received: from postal.sdsc.edu by MIT.EDU with SMTP id AA24322; Fri, 29 May 98 16:39:31 EDT Received: from galt (g0ldSkVTA058Ep2cWQ6l2jpNVKhpglB+@galt.sdsc.edu [132.249.40.111]) by postal.sdsc.edu (8.8.8/8.8.8/SDSCserver-16) with SMTP id NAA03844 for ; Fri, 29 May 1998 13:39:28 -0700 (PDT) Received: by galt (SMI-8.6/1.11-client) id NAA13346; Fri, 29 May 1998 13:39:27 -0700 Message-Id: <199805292039.NAA13346@galt> Date: Fri, 29 May 1998 13:39:27 -0700 From: Tom Perrine Reply-To: tep@SDSC.EDU To: krb5-bugs@MIT.EDU Subject: kftpd supports anonymous, but is not "strong" X-Send-Pr-Version: 3.99 >Number: 602 >Category: krb5-appl >Synopsis: kftpd supports anonymous, but is not "strong" >Confidential: no >Severity: non-critical >Priority: low >Responsible: krb5-unassigned >State: open >Class: change-request >Submitter-Id: unknown >Arrival-Date: Fri May 29 16:40:01 EDT 1998 >Last-Modified: >Originator: Tom Perrine >Organization: San Diego Supercomputer Center, San Diego CA >Release: krb5-1.0.5 >Environment: System: SunOS galt 5.5.1 Generic_103640-18 sun4u sparc SUNW,Ultra-1 Architecture: sun4 >Description: The kftpd supports anonymous login, but is based on rather old code, and does not have the features to support this well. The WU-FTPD and the logdaemon ftpd are both better options. This patch allows a site to force non-support of anonymous FTP even if a host is mis-configured by either its owner or an intruder. This is a simple way to add defense in depth. Also, anonymous login attempts to a Kerberos FTP server in fall-back mode might be a good tripwire. >How-To-Repeat: Use kftp and log in as anonymous or ftp. >Fix: diff -r src.original/appl/gssftp/ftpd/ftpd.c src/appl/gssftp/ftpd/ftpd.c 564a565,573 > #ifdef NOANONYMOUS > reply(530, "User %s access denied.", name); > if (logging) > syslog(LOG_NOTICE, > "ANONYMOUS FTP LOGIN REFUSED (not supported) FROM %s, %s", > remotehost, name); > pw = (struct passwd *) NULL; > return; /* NOTE: cheap sleazy exit if we don't support ANONYMOUS */ > #else 573a583 > #endif 574a585 > >Audit-Trail: >Unformatted: