| To: | krb5-bugs@mit.edu |
| From: | Miro Juri¹iæ <meeroh@meeroh.org> |
| Date: | Thu, 23 Sep 2004 16:42:51 -0400 |
| Subject: | krb4 ftp fails in passive mode |
FTP with krb4 fails in passive mode. (See transcript below.) The error
is that the server's encrypted data sent on passive data connections
has the IP address 0.0.0.0 instead of the actual IP address of the
server; as a result, when the client tries to decrypt the data using
krb_rd_priv, IP check fails (because the check is being done against
the correct server IP address provided by the client), and krb_rd_priv
returns AP_MODIFIED.
hth
meeroh
meeroh@all-night-tool:~% kdestroy
meeroh@all-night-tool:~% kinit -4
meeroh@all-night-tool:~% ftp ftp.dialup.mit.edu
Connected to mass-toolpike.mit.edu.
220 mass-toolpike.mit.edu FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: No credentials cache found
GSSAPI error: initializing context
GSSAPI authentication failed
334 Using authentication type KERBEROS_V4; ADAT must follow
KERBEROS_V4 accepted as authentication type
Kerberos V4 authentication succeeded
200 Data channel protection level set to private.
Name (ftp.dialup.mit.edu:meeroh):
331 Kerberos user meeroh@ATHENA.MIT.EDU is authorized as meeroh;
Password required.
Password:
230 User meeroh logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
150 Opening ASCII mode data connection for /bin/ls.
krb_rd_priv failed for KERBEROS_V4 (Message integrity error
(krb_rd_req))
226 Transfer complete.
--
<http://web.meeroh.org/> | KB1FMP
"And when I have understanding of computers, I shall be
the supreme being!" -- Evil, "Time Bandits"
is that the server's encrypted data sent on passive data connections
has the IP address 0.0.0.0 instead of the actual IP address of the
server; as a result, when the client tries to decrypt the data using
krb_rd_priv, IP check fails (because the check is being done against
the correct server IP address provided by the client), and krb_rd_priv
returns AP_MODIFIED.
hth
meeroh
meeroh@all-night-tool:~% kdestroy
meeroh@all-night-tool:~% kinit -4
meeroh@all-night-tool:~% ftp ftp.dialup.mit.edu
Connected to mass-toolpike.mit.edu.
220 mass-toolpike.mit.edu FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: No credentials cache found
GSSAPI error: initializing context
GSSAPI authentication failed
334 Using authentication type KERBEROS_V4; ADAT must follow
KERBEROS_V4 accepted as authentication type
Kerberos V4 authentication succeeded
200 Data channel protection level set to private.
Name (ftp.dialup.mit.edu:meeroh):
331 Kerberos user meeroh@ATHENA.MIT.EDU is authorized as meeroh;
Password required.
Password:
230 User meeroh logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
Show quoted text
ftp> passive
Passive mode on.Show quoted text
ftp> ls
227 Entering Passive Mode (18,7,16,71,162,15)150 Opening ASCII mode data connection for /bin/ls.
krb_rd_priv failed for KERBEROS_V4 (Message integrity error
(krb_rd_req))
226 Transfer complete.
Show quoted text
ftp> quit
--
<http://web.meeroh.org/> | KB1FMP
"And when I have understanding of computers, I shall be
the supreme being!" -- Evil, "Time Bandits"