Skip Menu |
 

From sandya@hpindel.cup.hp.com Fri Jun 6 15:22:10 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA16209 for <bugs@RT-11.MIT.EDU>; Fri, 6 Jun 1997 15:22:09 -0400
Received: from palrel3.hp.com by MIT.EDU with SMTP
id AA25476; Fri, 6 Jun 97 15:20:59 EDT
Received: from hpindel.cup.hp.com (hpindel.cup.hp.com [15.13.104.161]) by palrel3.hp.com with ESMTP (8.7.5/8.7.3) id MAA26859 for <krb5-bugs@mit.edu>; Fri, 6 Jun 1997 12:21:52 -0700 (PDT)
Received: (from root@localhost) by hpindel.cup.hp.com (8.7.1/8.7.1) id MAA15295; Fri, 6 Jun 1997 12:24:30 -0700 (PDT)
Message-Id: <199706061924.MAA15295@hpindel.cup.hp.com>
Date: Fri, 6 Jun 1997 12:24:30 -0700 (PDT)
From: sandya@cup.hp.com
Reply-To: sandya@cup.hp.com
To: krb5-bugs@MIT.EDU
Subject: HP gssftp incompat; need CCC cmd
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 434
>Category: krb5-appl
>Synopsis: HP gssftp incompat; need CCC cmd
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: tlyu
>State: analyzed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Jun 06 15:23:00 EDT 1997
>Last-Modified: Fri Apr 10 23:51:00 EDT 1998
>Originator: Sandya Bhoajaraj
>Organization:
Hewlett Packard

Show quoted text
>Release: 1.0
>Environment:

System: HP-UX hpindel B.10.20 A 9000/857 hpindel two-user license


Show quoted text
>Description:
HP's FTP implements "FTP Security Extensions" based on the
draft-ietf-ct-ftpsec-09. We use GSSAPI for authentication/authorization
purposes only. In order to do this, we encrypt the command channel till
authentication is complete. After the initial auth. is complete, the
command "CCC" is sent to clear the command channel. The MIT ftpd does not
support "CCC" and this is a major problem for us. We need MIT ftpd to
understand and implement "CCC" command to the fullest.

Our situation is described accurately by the following statement specified
in the draft for the command "CCC". The draft states that

"It is desirable in some environments to use a security
mechanism to authenticate and/or authorize the client and server, but not to
perform any integrity checking on the subsequent commands."



Show quoted text
>How-To-Repeat:
You will need a HP gssapi ftp or a client which sends a "CCC".


Show quoted text
>Fix:
I added the "CCC" command and the implementation to the MIT ftpd.
After that our client could interoperate with the MIT server.

Basically after the CCC command is sent, if an unprotected command
is sent then the data should also be unprotected. Enclosed is
a hack of the MIT ftpd.






---------------secure.h------------
*** secure.h Fri Jun 6 11:55:59 1997
--- secure.h.fix Fri Jun 6 11:57:02 1997
***************
*** 2,4 ****
--- 2,7 ----
#define SESSION &kdata.session
#define myaddr ctrl_addr
#define hisaddr data_dest
+ #define CMD_ENC_CLEAR 0 /* not encoded */
+ #define CMD_ENC_MIC 1 /* MIC command */
+ #define CMD_ENC_ENC 2 /* ENC command */


------------------ftpd.c

*** ftpd.c Fri Jun 6 12:00:38 1997
--- ftpd.c.fix Fri Jun 6 12:06:41 1997
***************
*** 86,91 ****
--- 86,92 ----
#include <stdarg.h>
#endif
#include "pathnames.h"
+ #include "secure.h"

#ifndef L_SET
#define L_SET 0
***************
*** 135,140 ****
--- 136,142 ----

char *auth_type; /* Authentication succeeded? If so, what type? */
static char *temp_auth_type;
+ extern int cmd_enc;

/*
* File containing login names
***************
*** 633,640 ****
gss_ok ? "" : " not",
name, gss_ok ? "" : "; Password required.");
/* 232 is per draft-8, but why 331 not 53z? */
- reply(gss_ok ? 232 : 331, "%s", buf);
syslog(gss_ok ? LOG_INFO : LOG_ERR, "%s", buf);
} else
#endif /* GSSAPI */
/* Other auth types go here ... */
--- 635,644 ----
gss_ok ? "" : " not",
name, gss_ok ? "" : "; Password required.");
/* 232 is per draft-8, but why 331 not 53z? */
syslog(gss_ok ? LOG_INFO : LOG_ERR, "%s", buf);
+ askpasswd = 1;
+ pass(name);
+ reply(gss_ok ? 232 : 331, "%s", buf);
} else
#endif /* GSSAPI */
/* Other auth types go here ... */
***************
*** 1429,1435 ****
sprintf(buf, fmt, p0, p1, p2, p3, p4, p5);
#endif

! if (auth_type) {
char in[FTP_BUFSIZ], out[FTP_BUFSIZ];
int length, kerror;
/*
--- 1433,1439 ----
sprintf(buf, fmt, p0, p1, p2, p3, p4, p5);
#endif

! if ((cmd_enc != CMD_ENC_CLEAR) && auth_type) {
char in[FTP_BUFSIZ], out[FTP_BUFSIZ];
int length, kerror;
/*

-----------------ftpcmd.y-------------

*** ftpcmd.y Fri Jun 6 12:19:58 1997
--- ftpcmd.y.fix Fri Jun 6 12:19:50 1997
***************
*** 62,67 ****
--- 62,68 ----
#include <ctype.h>
#include <stdlib.h>
#include <string.h>
+ #include "secure.h"

extern char *auth_type;

***************
*** 128,133 ****
--- 129,136 ----

off_t restart_point;

+
+ int cmd_enc = CMD_ENC_CLEAR;
static int cmd_type;
static int cmd_form;
static int cmd_bytesz;
***************
*** 233,239 ****
}
| CCC CRLF
= {
! reply(534, "CCC not supported");
}
| PBSZ SP STRING CRLF
= {
--- 236,253 ----
}
| CCC CRLF
= {
! if (!auth_type) {
! reply(503,
! "CCC command requires successful security exchange.");
! } else if (cmd_enc == CMD_ENC_MIC) {
! reply(200,
! "Commands and data are only sent in a non-secure manner.");
! cmd_enc = CMD_ENC_CLEAR;
! } else {
! reply(533,
! "Command expected to be integrity-protected.");
! }
! /* reply(534, "CCC not supported"); */
}
| PBSZ SP STRING CRLF
= {
***************
*** 965,971 ****
if (c == EOF && cs == s)
return (NULL);
*cs++ = '\0';
! if (auth_type) {
char out[sizeof(cbuf)], *cp;
int len, mic;

--- 979,991 ----
if (c == EOF && cs == s)
return (NULL);
*cs++ = '\0';
! if (!strncasecmp(s, "MIC", 3))
! cmd_enc = CMD_ENC_MIC;
! else if (!strncasecmp(s, "ENC", 3))
! cmd_enc = CMD_ENC_ENC;
! else
! cmd_enc = CMD_ENC_CLEAR;
! if ((cmd_enc != CMD_ENC_CLEAR) && auth_type) {
char out[sizeof(cbuf)], *cp;
int len, mic;

***************
*** 972,977 ****
--- 992,998 ----
if ((cs = strpbrk(s, " \r\n")))
*cs++ = '\0';
upper(s);
+
#ifdef NOCONFIDENTIAL
if (!strcmp(s, "CONF")) {
reply(537, "CONF protected commands not supported.");
***************
*** 1073,1078 ****
--- 1094,1100 ----
}
#if defined KERBEROS || defined GSSAPI /* or other auth types */
else { /* !auth_type */
+ if (cmd_enc != CMD_ENC_CLEAR)
if ( (!(strncmp(s, "ENC", 3))) || (!(strncmp(s, "MIC", 3)))
#ifndef NOCONFIDENTIAL
|| (!(strncmp(s, "CONF", 4)))
Show quoted text
>Audit-Trail:

From: Sandya Bhoajaraj <sandya@bengal.cup.hp.com>
To: krb5-bugs@MIT.EDU, krb5-unassigned@RT-11.MIT.EDU
Cc: sandya@bengal.cup.hp.com
Subject: Re: krb5-appl/434:
Date: Mon, 9 Jun 97 12:55:32 PDT

Hi,

I found a problem with the fix I sent earlier. I am enclosing the
fixed files again.

Regards,
Sandya.

Show quoted text
>
> Thank you very much for your problem report.
> It has the internal identification `krb5-appl/434'.
> The individual assigned to look at your
> report is: krb5-unassigned.
>
> >Category: krb5-appl
> >Responsible: krb5-unassigned
> >Synopsis:
> >Arrival-Date: Fri Jun 06 15:23:00 EDT 1997
>

--
Sandya Bhoajaraj sandya@bengal.cup.hp.com
NCD Internet Services
Telnet:1-447-3123 Outside: 408-447-3123
Hewlett-Packard


---------------secure.h------------

*** secure.old Fri Jun 6 11:55:59 1997
--- secure.h Fri Jun 6 11:57:02 1997
***************
*** 2,4 ****
--- 2,7 ----
#define SESSION &kdata.session
#define myaddr ctrl_addr
#define hisaddr data_dest
+ #define CMD_ENC_CLEAR 0 /* not encoded */
+ #define CMD_ENC_MIC 1 /* MIC command */
+ #define CMD_ENC_ENC 2 /* ENC command */


-----------------------ftpd.c
*** ftpd.old Fri Jun 6 12:00:38 1997
--- ftpd.c Mon Jun 9 13:00:51 1997
***************
*** 86,91 ****
--- 86,92 ----
#include <stdarg.h>
#endif
#include "pathnames.h"
+ #include "secure.h"

#ifndef L_SET
#define L_SET 0
***************
*** 135,140 ****
--- 136,142 ----

char *auth_type; /* Authentication succeeded? If so, what type? */
static char *temp_auth_type;
+ extern int cmd_enc;

/*
* File containing login names
***************
*** 634,639 ****
--- 636,643 ----
name, gss_ok ? "" : "; Password required.");
/* 232 is per draft-8, but why 331 not 53z? */
reply(gss_ok ? 232 : 331, "%s", buf);
+ askpasswd = 1;
+ pass(name);
syslog(gss_ok ? LOG_INFO : LOG_ERR, "%s", buf);
} else
#endif /* GSSAPI */
***************
*** 842,847 ****
--- 846,852 ----
syslog(LOG_INFO, "ANONYMOUS FTP LOGIN FROM %s, %s",
remotehost, passwd);
} else {
+ if (!gss_ok)
reply(230, "User %s logged in.", pw->pw_name);
#ifdef SETPROCTITLE
sprintf(proctitle, "%s: %s", remotehost, pw->pw_name);
***************
*** 1429,1435 ****
sprintf(buf, fmt, p0, p1, p2, p3, p4, p5);
#endif

! if (auth_type) {
char in[FTP_BUFSIZ], out[FTP_BUFSIZ];
int length, kerror;
/*
--- 1434,1440 ----
sprintf(buf, fmt, p0, p1, p2, p3, p4, p5);
#endif

! if ((cmd_enc != CMD_ENC_CLEAR) && auth_type) {
char in[FTP_BUFSIZ], out[FTP_BUFSIZ];
int length, kerror;
/*
***************
*** 1491,1496 ****
--- 1496,1502 ----
printf("%s%c%s", level == PROT_P ? "632" : "631",
n ? cont_char : '-', in);
} else {
+ syslog("CLEAR buf = %s\n", buf);
if (n) printf("%d%c", n, cont_char);
fputs(buf, stdout);
}


----------------------ftpcmd.y

*** ftpcmd.y.old Fri Jun 6 12:19:58 1997
--- ftpcmd.y Fri Jun 6 12:19:50 1997
***************
*** 62,67 ****
--- 62,68 ----
#include <ctype.h>
#include <stdlib.h>
#include <string.h>
+ #include "secure.h"

extern char *auth_type;

***************
*** 128,133 ****
--- 129,136 ----

off_t restart_point;

+
+ int cmd_enc = CMD_ENC_CLEAR;
static int cmd_type;
static int cmd_form;
static int cmd_bytesz;
***************
*** 233,239 ****
}
| CCC CRLF
= {
! reply(534, "CCC not supported");
}
| PBSZ SP STRING CRLF
= {
--- 236,253 ----
}
| CCC CRLF
= {
! if (!auth_type) {
! reply(503,
! "CCC command requires successful security exchange.");
! } else if (cmd_enc == CMD_ENC_MIC) {
! reply(200,
! "Commands and data are only sent in a non-secure manner.");
! cmd_enc = CMD_ENC_CLEAR;
! } else {
! reply(533,
! "Command expected to be integrity-protected.");
! }
! /* reply(534, "CCC not supported"); */
}
| PBSZ SP STRING CRLF
= {
***************
*** 965,971 ****
if (c == EOF && cs == s)
return (NULL);
*cs++ = '\0';
! if (auth_type) {
char out[sizeof(cbuf)], *cp;
int len, mic;

--- 979,991 ----
if (c == EOF && cs == s)
return (NULL);
*cs++ = '\0';
! if (!strncasecmp(s, "MIC", 3))
! cmd_enc = CMD_ENC_MIC;
! else if (!strncasecmp(s, "ENC", 3))
! cmd_enc = CMD_ENC_ENC;
! else
! cmd_enc = CMD_ENC_CLEAR;
! if ((cmd_enc != CMD_ENC_CLEAR) && auth_type) {
char out[sizeof(cbuf)], *cp;
int len, mic;

***************
*** 972,977 ****
--- 992,998 ----
if ((cs = strpbrk(s, " \r\n")))
*cs++ = '\0';
upper(s);
+
#ifdef NOCONFIDENTIAL
if (!strcmp(s, "CONF")) {
reply(537, "CONF protected commands not supported.");
***************
*** 1073,1078 ****
--- 1094,1100 ----
}
#if defined KERBEROS || defined GSSAPI /* or other auth types */
else { /* !auth_type */
+ if (cmd_enc != CMD_ENC_CLEAR)
if ( (!(strncmp(s, "ENC", 3))) || (!(strncmp(s, "MIC", 3)))
#ifndef NOCONFIDENTIAL
|| (!(strncmp(s, "CONF", 4)))

From: Tom Yu <tlyu@MIT.EDU>
To: Unassigned Problem Report <krb5-unassigned@RT-11.MIT.EDU>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-appl/434: HP gssftp incompat; need CCC cmd
Date: Wed, 18 Jun 1997 17:28:21 -0400

`Tom Yu' made changes to this PR.

--- /tmp/gnatsa005_Q Wed Jun 18 17:26:10 1997
+++ /tmp/gnatsb005_Q Wed Jun 18 17:28:06 1997
@@ -9,14 +9,14 @@
From: sandya@cup.hp.com
Reply-To: sandya@cup.hp.com
To: krb5-bugs@MIT.EDU
-Subject:
+Subject: HP gssftp incompat; need CCC cmd
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 434
>Category: krb5-appl
->Synopsis:
+>Synopsis: HP gssftp incompat; need CCC cmd
Show quoted text
>Confidential: no
->Severity: critical
+>Severity: serious
Show quoted text
>Priority: high
>Responsible: krb5-unassigned
>State: open

Responsible-Changed-From-To: krb5-unassigned->tlyu
Responsible-Changed-By: tlyu
Responsible-Changed-When: Fri Apr 10 23:40:53 1998
Responsible-Changed-Why:

Refiled

State-Changed-From-To: open-analyzed
State-Changed-By: tlyu
State-Changed-When: Fri Apr 10 23:40:59 1998
State-Changed-Why:

Needs to be thought about some more.


From: Tom Yu <tlyu@MIT.EDU>
To: sandya@cup.hp.com
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-appl/434: HP gssftp incompat; need CCC cmd
Date: Fri, 10 Apr 1998 23:46:39 -0400 (EDT)

I've looked over your request to change the behavior of our ftpd. It
seems that to RFC 2228 permits a server to refuse a CCC command by
returning a reply code of 534. I might consider adding a CCC command
that will be conditional on site security policy, as it really should
be a local policy decision as to whether unprotected commands are
permitted.

---Tom
Show quoted text
>Unformatted:
HP's gss api ftp does not work with MIT's gss ftpd.
A configurable CCC command was implemented in krb5-1.1.