Skip Menu |
 

Download (untitled) / with headers
text/plain 1.8KiB
From root@melville.u.washington.edu Thu Aug 7 15:14:49 1997
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA03599 for <bugs@RT-11.MIT.EDU>; Thu, 7 Aug 1997 15:14:49 -0400
Received: from melville.u.washington.edu by MIT.EDU with SMTP
id AA20408; Thu, 7 Aug 97 15:14:47 EDT
Received: (from root@localhost)
by melville.u.washington.edu (8.8.4+UW97.07/8.8.4+UW97.05)
id MAA113084; Thu, 7 Aug 1997 12:14:46 -0700
Message-Id: <199708071914.MAA113084@melville.u.washington.edu>
Date: Thu, 7 Aug 1997 12:14:46 -0700
From: donn@u.washington.edu
Reply-To: donn@u.washington.edu
To: krb5-bugs@MIT.EDU
Subject: ftp generates service principal from cluster, not host
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 458
>Category: krb5-appl
>Synopsis: ftp should use gethostbyaddr() to get canonical service princ.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Aug 07 15:15:01 EDT 1997
>Last-Modified:
>Originator: Donn Cave
>Organization:
University of Washington University Computing Services
Show quoted text
>Release: 1.0pl1
>Environment:
Anywhere host names are aliased.
System: AIX melville 2 4 000010504900


Show quoted text
>Description:
Kerberos authentication fails with wrong principal name when ftp
attempts to connect to a DNS-supported cluster - where the name
used to connect (say "ftphost") is not the name of the host (say
"ftphost4".) Or I guess in any other DNS aliased situation.
Show quoted text
>How-To-Repeat:
Use Kerberos authenticated ftp, specify an aliased host.
Show quoted text
>Fix:
I cured this by inserting a gethostbyaddr() right after the
gethostbyname() in hookup(). If that succeeds, I copy the name
out of hp->h_name.
Show quoted text
>Audit-Trail:
>Unformatted:
Download (untitled) / with headers
text/plain 3.8KiB
From donn@u.washington.edu Wed Apr 22 12:42:20 1998
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA26231 for <bugs@RT-11.MIT.EDU>; Wed, 22 Apr 1998 12:42:19 -0400
Received: from melville.u.washington.edu by MIT.EDU with SMTP
id AA10576; Wed, 22 Apr 98 12:42:12 EDT
Received: (from donn@localhost)
by melville.u.washington.edu (8.8.4+UW97.07/8.8.4+UW97.05)
id JAA105042; Wed, 22 Apr 1998 09:42:07 -0700
Message-Id: <199804221642.JAA105042@melville.u.washington.edu>
Date: Wed, 22 Apr 1998 09:42:07 -0700
From: donn@u.washington.edu
Reply-To: donn@u.washington.edu
To: krb5-bugs@MIT.EDU
Subject: gssftp ftp host lookup
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 583
>Category: krb5-appl
>Synopsis: ftp fails to look up actual host domain name
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Apr 22 12:43:01 EDT 1998
>Last-Modified:
>Originator: Donn Cave
>Organization:
University of Washington
Show quoted text
>Release: 1.0.5
>Environment:
All
System: AIX melville 2 4 00600210C000


Show quoted text
>Description:
The gssftp ftp client doesn't look up the domain name for its
connection - i.e., "reverse" lookup using gethostbyaddr().
This means that lookup is deferred to gss_import_name()
(where the lookup is courtesy of krb5_sname_to_principal()).
This deferred lookup is not reliable, in cases where the
original domain name given to the client is a DNS random
cluster of some kind and the resolution from cluster to
specific host is naturally variable. Hence, the ftp client
must look up the actual host from its IP connection.
Show quoted text
>How-To-Repeat:
Attempt to connect via ftp to dante.u.washington.edu, or
any cluster that resolves to specific host on a variable
schedule. It's important to get this fixed in the distribution,
because large cluster sites like ours can fix the problem only
for internal connections, outside we're limited to distributing
a patch or something.
Show quoted text
>Fix:
*** krb5-1.0.4/src/appl/gssftp/ftp/ftp.c Thu Dec 4 19:41:58 1997
--- krb5-1.0.5/src/appl/gssftp/ftp/ftp.c Wed Apr 22 09:04:54 1998
***************
*** 1841,1846 ****
--- 1841,1848 ----
#if defined(KERBEROS) || defined(GSSAPI)
u_char out_buf[FTP_BUFSIZ];
int i;
+ char realhostname[128];
+ struct hostent *hp;
#endif /* KERBEROS */

if (auth_type) return(1); /* auth already succeeded */
***************
*** 1923,1928 ****
--- 1925,1944 ----
chan.application_data.length = 0;
chan.application_data.value = 0;

+ /*
+ ** Look up actual host name, from connection IP.
+ ** Since gss_import_name() -> krb5_sname_to_principal()
+ ** will arrive at an actual name anyway, this is not a
+ ** question of whether we want the cluster name or the
+ ** actual name, but whether we want the actual name to
+ ** be the correct one.
+ */
+ hp = gethostbyaddr(&hisctladdr.sin_addr, 4, AF_INET);
+ if (hp)
+ strcpy(realhostname, hp->h_name);
+ else
+ strcpy(realhostname, hostname);
+
for (end_service_name = gss_services; *end_service_name; )
end_service_name++;
end_service_name--;
***************
*** 1937,1943 ****

/* ftp@hostname first, the host@hostname */
/* the V5 GSSAPI binding canonicalizes this for us... */
! sprintf(stbuf, "%s@%s", *service_name, hostname);
if (debug)
fprintf(stderr, "Trying to authenticate to <%s>\n", stbuf);

--- 1953,1959 ----

/* ftp@hostname first, the host@hostname */
/* the V5 GSSAPI binding canonicalizes this for us... */
! sprintf(stbuf, "%s@%s", *service_name, realhostname);
if (debug)
fprintf(stderr, "Trying to authenticate to <%s>\n", stbuf);

Show quoted text
>Audit-Trail:
>Unformatted:
From donn@u.washington.edu Tue Oct 5 18:18:04 1999
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id SAA03009 for <bugs@RT-11.MIT.EDU>; Tue, 5 Oct 1999 18:18:04 -0400
Received: from jason03.u.washington.edu by MIT.EDU with SMTP
id AA11656; Tue, 5 Oct 99 18:18:05 EDT
Received: from saul8.u.washington.edu (donn@saul8.u.washington.edu [140.142.82.3])
by jason03.u.washington.edu (8.9.3+UW99.09/8.9.3+UW99.08) with ESMTP id PAA09778
for <krb5-bugs@mit.edu>; Tue, 5 Oct 1999 15:18:00 -0700
Received: (from donn@localhost)
by saul8.u.washington.edu (8.9.3+UW99.09/8.9.3+UW99.08) id PAA21716;
Tue, 5 Oct 1999 15:17:58 -0700 (PDT)
Message-Id: <199910052217.PAA21716@saul8.u.washington.edu>
Date: Tue, 5 Oct 1999 15:17:58 -0700 (PDT)
From: donn@u.washington.edu
Reply-To: donn@u.washington.edu
To: krb5-bugs@MIT.EDU
Subject: ftp gets credentials for wrong host in DNS cluster
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 765
>Category: krb5-appl
>Synopsis: ftp gets ticket for wrong host in DNS cluster
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Oct 05 18:19:01 EDT 1999
>Last-Modified:
>Originator: Donn Cave
>Organization:
University Computing Services
University of Washington
Show quoted text
>Release: krb5-1.1
>Environment:
System: AIX 4.2
Machine: RS/6000
Show quoted text
>Description:
Ftp connects to one host and gets service ticket for another host,
in DNS cluster where user specifies cluster and DNS returns a specific
host name. The user's notion of the host name is submitted to the gss
layer, where it's resolved again with a randomly different value.
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: Wrong principal in request

Show quoted text
>How-To-Repeat:
Connect to dante.u.washington.edu, note that ftpd says "220 dante07 FTP
server ...". Note subsequent error and failure to authenticate, and
use klist to see tickets actually acquired. (Substitute some similar
cluster where you have an account.)

Show quoted text
>Fix:

*** appl/gssftp/ftp/ftp.c.dist Thu Sep 23 15:40:15 1999
--- appl/gssftp/ftp/ftp.c Tue Oct 5 09:42:43 1999
***************
*** 1899,1904 ****
--- 1899,1906 ----
#if defined(KRB5_KRB4_COMPAT) || defined(GSSAPI)
u_char out_buf[FTP_BUFSIZ];
int i;
+ char realhostname[128];
+ struct hostent *hp;
#endif /* KRB5_KRB4_COMPAT */

if (auth_type) return(1); /* auth already succeeded */
***************
*** 1921,1926 ****
--- 1923,1943 ----
chan.acceptor_address.value = &hisctladdr.sin_addr.s_addr;
chan.application_data.length = 0;
chan.application_data.value = 0;
+
+ /*
+ ** Look up actual host name, from connection IP.
+ ** Since gss_import_name() -> krb5_sname_to_principal()
+ ** will arrive at an actual name anyway, this is not a
+ ** question of whether we want the cluster name or the
+ ** actual name, but whether we want the actual name to
+ ** be the same one in both places, here and in the gss/krb5
+ ** layers. Since we do want that, resolve it here.
+ */
+ hp = gethostbyaddr(&hisctladdr.sin_addr, 4, AF_INET);
+ if (hp)
+ strcpy(realhostname, hp->h_name);
+ else
+ strcpy(realhostname, hostname);

if (verbose)
printf("GSSAPI accepted as authentication type\n");
***************
*** 1930,1936 ****
for (trial = 0; trial < n_gss_trials; trial++) {
/* ftp@hostname first, the host@hostname */
/* the V5 GSSAPI binding canonicalizes this for us... */
! sprintf(stbuf, "%s@%s", gss_trials[trial].service_name, hostname);
if (debug)
fprintf(stderr, "Trying to authenticate to <%s>\n", stbuf);

--- 1947,1953 ----
for (trial = 0; trial < n_gss_trials; trial++) {
/* ftp@hostname first, the host@hostname */
/* the V5 GSSAPI binding canonicalizes this for us... */
! sprintf(stbuf, "%s@%s", gss_trials[trial].service_name, realhostname);
if (debug)
fprintf(stderr, "Trying to authenticate to <%s>\n", stbuf);

Show quoted text
>Audit-Trail:
>Unformatted:
Subject: ftp should use gethostbyaddr() to get canonical service princ.
Still a serious issue, but not limited to ftp. Eventually we will be
moving away from canonicalization of the names on the client side, so
changes to ftp in this area would have to be undone later. And Sam is
looking at introducing a config file option in the short term which
would stop the name->addr->name silliness, and just do one round of
CNAME RR processing.

Unless these changes wind up not happening soon, leave this pending for
now.