Skip Menu |

Date: Fri, 12 Dec 2003 01:27:33 -0500
Subject: gssapi ftpd bugs with CONTINUE_NEEDED
Cc: Ken Raeburn <>
From: Ken Raeburn <raeburn@MIT.EDU>
Our ftpd code doesn't cope with a CONTINUE_NEEDED status from
gss_accept_sec_context. The wrong variable is checked in at least one
case. One message gets sent to the client with the token to be
returned, and then another message with a different status code is also
sent. Probably other things are going wrong too. I don't think we've
tested this path before.

The CONTINUE_NEEDED status can be returned under the new CFX support if
a context establishment token is received with an unrecognized TOK_ID
value. The test code I've set up for CFX can exercise this path when
compiled in.

Subject: CVS Commit
Gets a bit closer, still not working...

* ftpcmd.y (getline): Allow "AUTH" as an unprotected command.
* ftpd.c (login): Fix checks for accept_sec_context status. Only send back one
message in the CONTINUE_NEEDED case.
(with_gss_error_text): New function, split out from reply_gss_error.
(reply_gss_error): Call it.
(reply_gss_error_1): New function.
(log_gss_error, log_gss_error_1): New functions.
(login): Call log_gss_error instead of syslog on error from gss_display_name.

To generate a diff of this commit:

cvs diff -r1.103 -r1.104 krb5/src/appl/gssftp/ftpd/ChangeLog
cvs diff -r1.25 -r1.26 krb5/src/appl/gssftp/ftpd/ftpcmd.y
cvs diff -r1.69 -r1.70 krb5/src/appl/gssftp/ftpd/ftpd.c
Subject: CVS Commit
* ftp.c (do_auth): Handle a return code of 335, where the authentication
exchange requires more messages.

To generate a diff of this commit:

cvs diff -r1.76 -r1.77 krb5/src/appl/gssftp/ftp/ChangeLog
cvs diff -r1.37 -r1.38 krb5/src/appl/gssftp/ftp/ftp.c
Looks like the CFX spec is changing, so the CONTINUE_NEEDED support
isn't a priority.