Skip Menu |
 

Download (untitled) / with headers
text/plain 6.6KiB
From benno@columbia.edu Fri Feb 22 13:54:57 2002
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id NAA20629
for <bugs@RT-11.mit.edu>; Fri, 22 Feb 2002 13:54:56 -0500 (EST)
Received: from starscream.cc.columbia.edu (starscream.cc.columbia.edu [128.59.39.90])
by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id NAA22785
for <krb5-bugs@mit.edu>; Fri, 22 Feb 2002 13:54:56 -0500 (EST)
Received: (from benno@localhost)
by starscream.cc.columbia.edu (8.9.3/8.9.3) id NAA22638;
Fri, 22 Feb 2002 13:54:55 -0500 (EST)
Message-Id: <200202221854.NAA22638@starscream.cc.columbia.edu>
Date: Fri, 22 Feb 2002 13:54:55 -0500 (EST)
From: benno@columbia.edu
Reply-To: benno@columbia.edu
To: krb5-bugs@mit.edu
Cc: benno@columbia.edu
Subject: gssftpd does not properly support multihomed hosts
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 1059
>Category: krb5-appl
>Synopsis: gssftpd does not properly support multihomed hosts
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Feb 22 13:55:00 EST 2002
>Last-Modified:
>Originator: Benjamin Oshrin
>Organization:
Columbia University AcIS
Show quoted text
>Release: krb5-1.2.3
>Environment:
System: SunOS starscream 5.8 Generic_108528-11 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4

Show quoted text
>Description:
We have a pool of servers fronted by "server load balancing" to
minimize user visible downtime. Each server is configured with
two interfaces: the real interface, known by the server's
hostname, and a virtual interface, which uses the address of the
pool slb vif. All of this is fronted by a DNS alias.

For example, the name "newcunix.cc.columbia.edu", the name that
is publicized to end users, is an alias for
"newcunixpool.cc.columbia.edu". "hazelnut.cc.columbia.edu" is
a member of the newcunix pool, and so listens on hme0 for hazelnut
and hme0:10 for newcunixpool. Our network hardware routes connections
to newcunixpool to an available host that is listening on that
address.

The problem arises when a user attempts to establish a kerberized
ftp session to these hosts, using either the ftp client included
with the distribution or other clients, such as MacOS Fetch.
The client correctly obtains a ticket for host/newcunixpool,
but upon connection the server expects a ticket for host/hazelnut
since that is the name returned by gethostname(3c).

Show quoted text
>How-To-Repeat:
Set up a configuration similar to what is described aboved. It is
not necessary to use slb to test, the only requirement is a host
available via more than one hostname.
Show quoted text
>Fix:
The following patch fixes the problem on Solaris by looking at
all /etc/hostname.* files for defined hostnames to try. This
is probably not a very portable patch.

*** ftpd.c Sat Dec 22 03:04:09 2001
--- ftpd.c.mh Fri Feb 22 13:45:56 2002
***************
*** 2351,2356 ****
--- 2351,2363 ----
char **service;
struct hostent *hp;

+ #if defined(COLUMBIA)
+ char **lhostnames = NULL;
+ int lhostlen = 0, x;
+ DIR *dirp = NULL;
+ struct dirent *dp;
+ #endif
+
chan.initiator_addrtype = GSS_C_AF_INET;
chan.initiator_address.length = 4;
chan.initiator_address.value = &his_addr.sin_addr.s_addr;
***************
*** 2370,2375 ****
--- 2377,2454 ----
tok.value = gout_buf;
tok.length = length;

+ #if defined(COLUMBIA)
+ /* Determine the possible set of hostnames to try by
+ looking in /etc/hostname.*
+ */
+
+ dirp = opendir("/etc");
+
+ if(dirp)
+ {
+ while((dp = readdir(dirp)) != NULL) {
+ if(strlen(dp->d_name) > 9 &&
+ (FILENAME_MAX - strlen(dp->d_name) > 10) &&
+ strncmp(dp->d_name, "hostname.", 9)==0)
+ {
+ /* Add the contents of this file to the array */
+
+ FILE *hfin = NULL;
+ char hfname[FILENAME_MAX];
+ char nhname[MAXHOSTNAMELEN];
+ char **newhostnames = NULL;
+
+ sprintf(hfname, "/etc/%s\0", dp->d_name);
+
+ hfin = fopen(hfname, "r");
+
+ if(hfin)
+ {
+ memset(nhname, 0, MAXHOSTNAMELEN);
+ fgets(nhname, MAXHOSTNAMELEN, hfin);
+ fclose(hfin);
+
+ for(x = 0;x < strlen(nhname);x++)
+ if(nhname[x] == '\r' || nhname[x] == '\n')
+ {
+ nhname[x] = '\0';
+ break;
+ }
+
+ if(!(hp = gethostbyname(nhname)))
+ {
+ reply(501, "couldn't canonicalize hostname\n");
+
+ /* We don't return, however, since there may be
+ * other names. Not worth syslogging this.
+ */
+ }
+ else
+ {
+ newhostnames = (char **)malloc((sizeof(char *)) *
+ (lhostlen + 1));
+
+ if(newhostnames)
+ {
+ for(x = 0;x < lhostlen;x++)
+ newhostnames[x] = lhostnames[x];
+
+ newhostnames[lhostlen] = strdup(hp->h_name);
+ lhostlen++;
+
+ if(lhostnames)
+ free(lhostnames);
+ lhostnames = newhostnames;
+ newhostnames = NULL;
+ }
+ }
+ }
+ }
+ }
+
+ closedir(dirp);
+ }
+ #else /* COLUMBIA */
if (gethostname(localname, MAXHOSTNAMELEN)) {
reply(501, "couldn't get local hostname (%d)\n", errno);
syslog(LOG_ERR, "Couldn't get local hostname (%d)", errno);
***************
*** 2382,2390 ****
}
strncpy(localname, hp->h_name, sizeof(localname) - 1);
localname[sizeof(localname) - 1] = '\0';

for (service = gss_services; *service; service++) {
! sprintf(service_name, "%s@%s", *service, localname);
name_buf.value = service_name;
name_buf.length = strlen(name_buf.value) + 1;
if (debug)
--- 2461,2475 ----
}
strncpy(localname, hp->h_name, sizeof(localname) - 1);
localname[sizeof(localname) - 1] = '\0';
+ #endif /* COLUMBIA */

for (service = gss_services; *service; service++) {
! #if defined(COLUMBIA)
! for(x = 0;x < lhostlen;x++) {
! sprintf(service_name, "%s@%s", *service, lhostnames[x]);
! #else
! sprintf(service_name, "%s@%s", *service, localname);
! #endif
name_buf.value = service_name;
name_buf.length = strlen(name_buf.value) + 1;
if (debug)
***************
*** 2425,2431 ****
);
if (accept_maj==GSS_S_COMPLETE||accept_maj==GSS_S_CONTINUE_NEEDED)
break;
! }

if (found) {
if (accept_maj!=GSS_S_COMPLETE && accept_maj!=GSS_S_CONTINUE_NEEDED) {
--- 2510,2519 ----
);
if (accept_maj==GSS_S_COMPLETE||accept_maj==GSS_S_CONTINUE_NEEDED)
break;
! #if defined(COLUMBIA)
! }
! #endif /* COLUMBIA */
! }

if (found) {
if (accept_maj!=GSS_S_COMPLETE && accept_maj!=GSS_S_CONTINUE_NEEDED) {
Show quoted text
>Audit-Trail:
>Unformatted:
Download (untitled) / with headers
text/plain 5.3KiB
From ali_m_000@hotmail.com Fri Apr 26 12:28:56 2002
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id MAA06986
for <bugs@RT-11.mit.edu>; Fri, 26 Apr 2002 12:28:56 -0400 (EDT)
Received: from hotmail.com (f152.pav1.hotmail.com [64.4.31.152])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id MAA16792
for <krb5-bugs@mit.edu>; Fri, 26 Apr 2002 12:28:55 -0400 (EDT)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Fri, 26 Apr 2002 09:28:54 -0700
Received: from 160.83.32.30 by pv1fd.pav1.hotmail.msn.com with HTTP;
Fri, 26 Apr 2002 16:28:53 GMT
Message-Id: <F152gntdb2HVZSOJl6b00000d81@hotmail.com>
Date: Fri, 26 Apr 2002 17:28:53 +0100
From: "Ali M" <ali_m_000@hotmail.com>
To: krb5-bugs@mit.edu
Subject: ftpd does not work proerly on multi-homed host

Show quoted text
>Number: 1097
>Category: krb5-appl
>Synopsis: ftpd does not get correct keytab entry on multi-homed host
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: gnats-admin
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Fri Apr 26 12:29:00 EDT 2002
>Last-Modified: Fri Apr 26 14:25:00 EDT 2002
>Originator: Super-User
>Organization:
None
Show quoted text
>Release: krb5-1.2.4
>Environment:
All
System: SunOS secsol5 5.6 Generic_105181-21 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4

Show quoted text
>Description:
ftpd calls gethostbyname() when building the service principal name
before asking GSSAPI to get the keytab entry. If the connection
comes in on a different interface to the one reported by `hostname`
the incorrect key is read from the keytab

Show quoted text
>How-To-Repeat:

Get a box with two or more interfaces. Geneate host key for each i/f
ftp to the interface not reported by `hostname` - you get the following...

GSSAPI accepted as authentication type
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: Wrong principal in request
GSSAPI error: accepting context
GSSAPI ADAT failed


Show quoted text
>Fix:

See diff -c output below...

diff -c ftpd.c ftpd.c.ORIG
*** ftpd.c Fri Apr 26 17:04:55 2002
--- ftpd.c.ORIG Fri Apr 26 15:56:13 2002
***************
*** 2350,2357 ****
char service_name[MAXHOSTNAMELEN+10];
char **service;
struct hostent *hp;
- struct sockaddr_in his_addr;
- size_t address_len;

chan.initiator_addrtype = GSS_C_AF_INET;
chan.initiator_address.length = 4;
--- 2350,2355 ----
***************
*** 2372,2398 ****
tok.value = gout_buf;
tok.length = length;

! /*
! * Need to get the hostname of the interface the client has
bound to
! * (on fd 0) so that we can get the correct keytable entry
! */
!
! address_len = sizeof(his_addr);
! if (getsockname(0, (struct sockaddr *)&his_addr,
&address_len) != 0) {
! reply(501, "couldn't get locally bound socket name
(%d)\n", errno);
! syslog(LOG_ERR, "couldn't get locally bound socket
name (%d)\n", errno);
return 0;
}
!
! if (!(hp = gethostbyaddr((void *)&his_addr.sin_addr,
sizeof(his_addr.sin_addr), AF_INET))) {
reply(501, "couldn't canonicalize local
hostname\n");
syslog(LOG_ERR, "Couldn't canonicalize local
hostname");
return 0;
! }
!
! if (debug)
! syslog(LOG_DEBUG, "Using interface %s\n",
hp->h_name);
!
strncpy(localname, hp->h_name, sizeof(localname) - 1);
localname[sizeof(localname) - 1] = '\0';

--- 2370,2385 ----
tok.value = gout_buf;
tok.length = length;

! if (gethostname(localname, MAXHOSTNAMELEN)) {
! reply(501, "couldn't get local hostname (%d)\n",
errno);
! syslog(LOG_ERR, "Couldn't get local hostname (%d)",
errno);
return 0;
}
! if (!(hp = gethostbyname(localname))) {
reply(501, "couldn't canonicalize local
hostname\n");
syslog(LOG_ERR, "Couldn't canonicalize local
hostname");
return 0;
! }
strncpy(localname, hp->h_name, sizeof(localname) - 1);
localname[sizeof(localname) - 1] = '\0';




Show quoted text
_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

>Audit-Trail:

From: Sam Hartman <hartmans@MIT.EDU>
To: GNATS administrator <gnats-admin@rt-11.mit.edu>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-appl/1097: ftpd does not get correct keytab entry on multi-homed host
Date: Fri, 26 Apr 2002 14:24:00 -0400 (EDT)

`Sam Hartman' made changes to this PR.

--- /tmp/gnats1714ssZ Fri Apr 26 14:23:40 2002
+++ /tmp/gnats1714sLm Fri Apr 26 14:23:56 2002
@@ -16,7 +16,7 @@
Subject: ftpd does not work proerly on multi-homed host

>Number: 1097
->Category: pending
+>Category: krb5-appl
>Synopsis: ftpd does not get correct keytab entry on multi-homed host
>Confidential: no
>Severity: serious
>Unformatted: