Skip Menu |
 

Download (untitled) / with headers
text/plain 3.2KiB
From donn@u.washington.edu Wed Dec 5 15:37:58 2001
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id PAA15082
for <bugs@RT-11.mit.edu>; Wed, 5 Dec 2001 15:37:57 -0500 (EST)
Received: from melville.u.washington.edu (melville.u.washington.edu [128.95.135.35])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id PAA08747
for <krb5-bugs@mit.edu>; Wed, 5 Dec 2001 15:37:56 -0500 (EST)
Received: (from donn@localhost)
by melville.u.washington.edu (8.11.6+UW01.08/8.11.6+UW01.10) id fB5Kbuh43700;
Wed, 5 Dec 2001 12:37:56 -0800
Message-Id: <200112052037.fB5Kbuh43700@melville.u.washington.edu>
Date: Wed, 5 Dec 2001 12:37:56 -0800
From: donn@u.washington.edu
Reply-To: donn@u.washington.edu
To: krb5-bugs@mit.edu
Subject: ftpd forms its service principal from host name, not connection
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 1023
>Category: krb5-appl
>Synopsis: ftpd service principal is hostname, not address lookup
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: analyzed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Dec 5 15:38:00 EST 2001
>Last-Modified: Mon Apr 8 15:16:44 EDT 2002
>Originator: Donn Cave
>Organization:
University Computing Services
University of Washington
Show quoted text
>Release: krb5-1.2.2
>Environment:
(Any UNIX)
System: AIX melville 3 4 00600210C000


Show quoted text
>Description:
On host with multiple interfaces, each with its own IP and DNS
addresses, ftp connections to any but one of the addresses fails
with "wrong principal". While this could be solved by modifying
krb5_gss_accept_sec_contect() to pass no service principal to
krb5_rd_req(), it would arguably be better for ftpd to at least
use the DNS name associated with the connection.
Show quoted text
>How-To-Repeat:
Equip a host with more than one network interface, and ftp service
principals for each. Connect to a DNS name that doesn't match
gethostname(); ftp will form a service principal from the DNS name,
but ftpd will use gethostname().
Show quoted text
>Fix:
*** appl/gssftp/ftpd/ftpd.c.pltx Wed Aug 8 13:32:06 2001
--- appl/gssftp/ftpd/ftpd.c Mon Dec 3 16:13:44 2001
***************
*** 2391,2397 ****
syslog(LOG_ERR, "Couldn't get local hostname (%d)", errno);
return 0;
}
! if (!(hp = gethostbyname(localname))) {
reply(501, "couldn't canonicalize local hostname\n");
syslog(LOG_ERR, "Couldn't canonicalize local hostname");
return 0;
--- 2391,2399 ----
syslog(LOG_ERR, "Couldn't get local hostname (%d)", errno);
return 0;
}
! /* if (!(hp = gethostbyname(localname))) { */
! hp = gethostbyaddr(&ctrl_addr.sin_addr.s_addr, 4, AF_INET);
! if (!hp) {
reply(501, "couldn't canonicalize local hostname\n");
syslog(LOG_ERR, "Couldn't canonicalize local hostname");
return 0;
Show quoted text
>Audit-Trail:

State-Changed-From-To: open-analyzed
State-Changed-By: hartmans
State-Changed-When: Mon Apr 8 15:13:50 2002
State-Changed-Why:
This seems like a reasonable solution to the problem.
If we don't end up dropping ftp and recommending peope use
one of the other ftp implementations
before the next release off the trunk, adopting an implementation of this patch
that works with IPV6 would be good.

Show quoted text
>Unformatted: