From donn@u.washington.edu Wed Dec 5 15:37:58 2001
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id PAA15082
for <bugs@RT-11.mit.edu>; Wed, 5 Dec 2001 15:37:57 -0500 (EST)
Received: from melville.u.washington.edu (melville.u.washington.edu [128.95.135.35])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id PAA08747
for <krb5-bugs@mit.edu>; Wed, 5 Dec 2001 15:37:56 -0500 (EST)
Received: (from donn@localhost)
by melville.u.washington.edu (8.11.6+UW01.08/8.11.6+UW01.10) id fB5Kbuh43700;
Wed, 5 Dec 2001 12:37:56 -0800
Message-Id: <200112052037.fB5Kbuh43700@melville.u.washington.edu>
Date: Wed, 5 Dec 2001 12:37:56 -0800
From: donn@u.washington.edu
Reply-To: donn@u.washington.edu
To: krb5-bugs@mit.edu
Subject: ftpd forms its service principal from host name, not connection
X-Send-Pr-Version: 3.99
University of Washington
System: AIX melville 3 4 00600210C000
addresses, ftp connections to any but one of the addresses fails
with "wrong principal". While this could be solved by modifying
krb5_gss_accept_sec_contect() to pass no service principal to
krb5_rd_req(), it would arguably be better for ftpd to at least
use the DNS name associated with the connection.
principals for each. Connect to a DNS name that doesn't match
gethostname(); ftp will form a service principal from the DNS name,
but ftpd will use gethostname().
--- appl/gssftp/ftpd/ftpd.c Mon Dec 3 16:13:44 2001
***************
*** 2391,2397 ****
syslog(LOG_ERR, "Couldn't get local hostname (%d)", errno);
return 0;
}
! if (!(hp = gethostbyname(localname))) {
reply(501, "couldn't canonicalize local hostname\n");
syslog(LOG_ERR, "Couldn't canonicalize local hostname");
return 0;
--- 2391,2399 ----
syslog(LOG_ERR, "Couldn't get local hostname (%d)", errno);
return 0;
}
! /* if (!(hp = gethostbyname(localname))) { */
! hp = gethostbyaddr(&ctrl_addr.sin_addr.s_addr, 4, AF_INET);
! if (!hp) {
reply(501, "couldn't canonicalize local hostname\n");
syslog(LOG_ERR, "Couldn't canonicalize local hostname");
return 0;
State-Changed-From-To: open-analyzed
State-Changed-By: hartmans
State-Changed-When: Mon Apr 8 15:13:50 2002
State-Changed-Why:
This seems like a reasonable solution to the problem.
If we don't end up dropping ftp and recommending peope use
one of the other ftp implementations
before the next release off the trunk, adopting an implementation of this patch
that works with IPV6 would be good.
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id PAA15082
for <bugs@RT-11.mit.edu>; Wed, 5 Dec 2001 15:37:57 -0500 (EST)
Received: from melville.u.washington.edu (melville.u.washington.edu [128.95.135.35])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id PAA08747
for <krb5-bugs@mit.edu>; Wed, 5 Dec 2001 15:37:56 -0500 (EST)
Received: (from donn@localhost)
by melville.u.washington.edu (8.11.6+UW01.08/8.11.6+UW01.10) id fB5Kbuh43700;
Wed, 5 Dec 2001 12:37:56 -0800
Message-Id: <200112052037.fB5Kbuh43700@melville.u.washington.edu>
Date: Wed, 5 Dec 2001 12:37:56 -0800
From: donn@u.washington.edu
Reply-To: donn@u.washington.edu
To: krb5-bugs@mit.edu
Subject: ftpd forms its service principal from host name, not connection
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 1023
>Category: krb5-appl
>Synopsis: ftpd service principal is hostname, not address lookup
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: analyzed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Dec 5 15:38:00 EST 2001
>Last-Modified: Mon Apr 8 15:16:44 EDT 2002
>Originator: Donn Cave
>Organization:
University Computing Services>Category: krb5-appl
>Synopsis: ftpd service principal is hostname, not address lookup
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: analyzed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Dec 5 15:38:00 EST 2001
>Last-Modified: Mon Apr 8 15:16:44 EDT 2002
>Originator: Donn Cave
>Organization:
University of Washington
Show quoted text
>Release: krb5-1.2.2
>Environment:
(Any UNIX)>Environment:
System: AIX melville 3 4 00600210C000
Show quoted text
>Description:
On host with multiple interfaces, each with its own IP and DNSaddresses, ftp connections to any but one of the addresses fails
with "wrong principal". While this could be solved by modifying
krb5_gss_accept_sec_contect() to pass no service principal to
krb5_rd_req(), it would arguably be better for ftpd to at least
use the DNS name associated with the connection.
Show quoted text
>How-To-Repeat:
Equip a host with more than one network interface, and ftp serviceprincipals for each. Connect to a DNS name that doesn't match
gethostname(); ftp will form a service principal from the DNS name,
but ftpd will use gethostname().
Show quoted text
>Fix:
*** appl/gssftp/ftpd/ftpd.c.pltx Wed Aug 8 13:32:06 2001--- appl/gssftp/ftpd/ftpd.c Mon Dec 3 16:13:44 2001
***************
*** 2391,2397 ****
syslog(LOG_ERR, "Couldn't get local hostname (%d)", errno);
return 0;
}
! if (!(hp = gethostbyname(localname))) {
reply(501, "couldn't canonicalize local hostname\n");
syslog(LOG_ERR, "Couldn't canonicalize local hostname");
return 0;
--- 2391,2399 ----
syslog(LOG_ERR, "Couldn't get local hostname (%d)", errno);
return 0;
}
! /* if (!(hp = gethostbyname(localname))) { */
! hp = gethostbyaddr(&ctrl_addr.sin_addr.s_addr, 4, AF_INET);
! if (!hp) {
reply(501, "couldn't canonicalize local hostname\n");
syslog(LOG_ERR, "Couldn't canonicalize local hostname");
return 0;
Show quoted text
>Audit-Trail:
State-Changed-From-To: open-analyzed
State-Changed-By: hartmans
State-Changed-When: Mon Apr 8 15:13:50 2002
State-Changed-Why:
This seems like a reasonable solution to the problem.
If we don't end up dropping ftp and recommending peope use
one of the other ftp implementations
before the next release off the trunk, adopting an implementation of this patch
that works with IPV6 would be good.
Show quoted text
>Unformatted: