Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 4156 From donn@u.washington.edu Tue Oct 5 18:18:04 1999 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id SAA03009 for ; Tue, 5 Oct 1999 18:18:04 -0400 Received: from jason03.u.washington.edu by MIT.EDU with SMTP id AA11656; Tue, 5 Oct 99 18:18:05 EDT Received: from saul8.u.washington.edu (donn@saul8.u.washington.edu [140.142.82.3]) by jason03.u.washington.edu (8.9.3+UW99.09/8.9.3+UW99.08) with ESMTP id PAA09778 for ; Tue, 5 Oct 1999 15:18:00 -0700 Received: (from donn@localhost) by saul8.u.washington.edu (8.9.3+UW99.09/8.9.3+UW99.08) id PAA21716; Tue, 5 Oct 1999 15:17:58 -0700 (PDT) Message-Id: <199910052217.PAA21716@saul8.u.washington.edu> Date: Tue, 5 Oct 1999 15:17:58 -0700 (PDT) From: donn@u.washington.edu Reply-To: donn@u.washington.edu To: krb5-bugs@MIT.EDU Subject: ftp gets credentials for wrong host in DNS cluster X-Send-Pr-Version: 3.99 >Number: 765 >Category: krb5-appl >Synopsis: ftp gets ticket for wrong host in DNS cluster >Confidential: no >Severity: serious >Priority: high >Responsible: krb5-unassigned >State: open >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Tue Oct 05 18:19:01 EDT 1999 >Last-Modified: >Originator: Donn Cave >Organization: University Computing Services University of Washington >Release: krb5-1.1 >Environment: System: AIX 4.2 Machine: RS/6000 >Description: Ftp connects to one host and gets service ticket for another host, in DNS cluster where user specifies cluster and DNS returns a specific host name. The user's notion of the host name is submitted to the gss layer, where it's resolved again with a randomly different value. GSSAPI error major: Miscellaneous failure GSSAPI error minor: Wrong principal in request >How-To-Repeat: Connect to dante.u.washington.edu, note that ftpd says "220 dante07 FTP server ...". Note subsequent error and failure to authenticate, and use klist to see tickets actually acquired. (Substitute some similar cluster where you have an account.) >Fix: *** appl/gssftp/ftp/ftp.c.dist Thu Sep 23 15:40:15 1999 --- appl/gssftp/ftp/ftp.c Tue Oct 5 09:42:43 1999 *************** *** 1899,1904 **** --- 1899,1906 ---- #if defined(KRB5_KRB4_COMPAT) || defined(GSSAPI) u_char out_buf[FTP_BUFSIZ]; int i; + char realhostname[128]; + struct hostent *hp; #endif /* KRB5_KRB4_COMPAT */ if (auth_type) return(1); /* auth already succeeded */ *************** *** 1921,1926 **** --- 1923,1943 ---- chan.acceptor_address.value = &hisctladdr.sin_addr.s_addr; chan.application_data.length = 0; chan.application_data.value = 0; + + /* + ** Look up actual host name, from connection IP. + ** Since gss_import_name() -> krb5_sname_to_principal() + ** will arrive at an actual name anyway, this is not a + ** question of whether we want the cluster name or the + ** actual name, but whether we want the actual name to + ** be the same one in both places, here and in the gss/krb5 + ** layers. Since we do want that, resolve it here. + */ + hp = gethostbyaddr(&hisctladdr.sin_addr, 4, AF_INET); + if (hp) + strcpy(realhostname, hp->h_name); + else + strcpy(realhostname, hostname); if (verbose) printf("GSSAPI accepted as authentication type\n"); *************** *** 1930,1936 **** for (trial = 0; trial < n_gss_trials; trial++) { /* ftp@hostname first, the host@hostname */ /* the V5 GSSAPI binding canonicalizes this for us... */ ! sprintf(stbuf, "%s@%s", gss_trials[trial].service_name, hostname); if (debug) fprintf(stderr, "Trying to authenticate to <%s>\n", stbuf); --- 1947,1953 ---- for (trial = 0; trial < n_gss_trials; trial++) { /* ftp@hostname first, the host@hostname */ /* the V5 GSSAPI binding canonicalizes this for us... */ ! sprintf(stbuf, "%s@%s", gss_trials[trial].service_name, realhostname); if (debug) fprintf(stderr, "Trying to authenticate to <%s>\n", stbuf); >Audit-Trail: >Unformatted: