[2743] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

krb5-appl/434:

daemon@ATHENA.MIT.EDU (sandya@cup.hp.com)
Fri Jun 6 15:26:48 1997

Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, sandya@cup.hp.com
Date: Fri, 6 Jun 1997 12:24:30 -0700 (PDT)
From: sandya@cup.hp.com
Reply-To: sandya@cup.hp.com
To: krb5-bugs@MIT.EDU


>Number:         434
>Category:       krb5-appl
>Synopsis:       
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    krb5-unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Fri Jun 06 15:23:00 EDT 1997
>Last-Modified:
>Originator:     Sandya Bhoajaraj
>Organization:
Hewlett Packard
	
>Release:        1.0
>Environment:
	
System: HP-UX hpindel B.10.20 A 9000/857 hpindel two-user license


>Description:
HP's FTP implements "FTP Security Extensions" based on the 
draft-ietf-ct-ftpsec-09. We use GSSAPI for authentication/authorization 
purposes only. In order to do this, we encrypt the command channel till 
authentication is complete.  After the initial auth. is complete, the 
command "CCC" is sent to clear the command channel. The MIT ftpd does not 
support "CCC" and this is a major problem for us.  We need MIT ftpd to 
understand and implement "CCC" command to the fullest.

Our situation is described accurately by the following statement specified
in the draft for the command "CCC". The draft states that 

"It is desirable in some environments to use a security
mechanism to authenticate and/or authorize the client and server, but not to 
perform any integrity checking on the subsequent commands."


	
>How-To-Repeat:
You will need a HP gssapi ftp or a client which sends a "CCC".

	
>Fix:
	I added the "CCC" command and the implementation to the MIT ftpd.
After that our client could interoperate with the MIT server.

Basically after the CCC command is sent, if an unprotected command
is sent then the data should also be unprotected. Enclosed is
a hack of the MIT ftpd.


	



---------------secure.h------------
*** secure.h    Fri Jun  6 11:55:59 1997
--- secure.h.fix        Fri Jun  6 11:57:02 1997
***************
*** 2,4 ****
--- 2,7 ----
  #define SESSION               &kdata.session
  #define myaddr                ctrl_addr
  #define hisaddr               data_dest
+ #define       CMD_ENC_CLEAR     0       /* not encoded */
+ #define CMD_ENC_MIC       1       /* MIC command */
+ #define CMD_ENC_ENC       2    /* ENC command */


------------------ftpd.c

*** ftpd.c	Fri Jun  6 12:00:38 1997
--- ftpd.c.fix	Fri Jun  6 12:06:41 1997
***************
*** 86,91 ****
--- 86,92 ----
  #include <stdarg.h>
  #endif
  #include "pathnames.h"
+ #include "secure.h"
  
  #ifndef L_SET
  #define L_SET 0
***************
*** 135,140 ****
--- 136,142 ----
  
  char *auth_type;	/* Authentication succeeded?  If so, what type? */
  static char *temp_auth_type;
+ extern int cmd_enc;
  
  /*
   * File containing login names
***************
*** 633,640 ****
  			gss_ok ? "" : " not",
  			name, gss_ok ? "" : "; Password required.");
  		/* 232 is per draft-8, but why 331 not 53z? */
- 		reply(gss_ok ? 232 : 331, "%s", buf);
  		syslog(gss_ok ? LOG_INFO : LOG_ERR, "%s", buf);
  	} else
  #endif /* GSSAPI */
  	/* Other auth types go here ... */
--- 635,644 ----
  			gss_ok ? "" : " not",
  			name, gss_ok ? "" : "; Password required.");
  		/* 232 is per draft-8, but why 331 not 53z? */
  		syslog(gss_ok ? LOG_INFO : LOG_ERR, "%s", buf);
+ 		askpasswd = 1;
+ 		pass(name);
+ 		reply(gss_ok ? 232 : 331, "%s", buf);
  	} else
  #endif /* GSSAPI */
  	/* Other auth types go here ... */
***************
*** 1429,1435 ****
  	sprintf(buf, fmt, p0, p1, p2, p3, p4, p5);
  #endif
  
! 	if (auth_type) {
  		char in[FTP_BUFSIZ], out[FTP_BUFSIZ];
  		int length, kerror;
  		/*
--- 1433,1439 ----
  	sprintf(buf, fmt, p0, p1, p2, p3, p4, p5);
  #endif
  
! 	if ((cmd_enc != CMD_ENC_CLEAR) && auth_type) {
  		char in[FTP_BUFSIZ], out[FTP_BUFSIZ];
  		int length, kerror;
  		/*

-----------------ftpcmd.y-------------

*** ftpcmd.y	Fri Jun  6 12:19:58 1997
--- ftpcmd.y.fix	Fri Jun  6 12:19:50 1997
***************
*** 62,67 ****
--- 62,68 ----
  #include <ctype.h>
  #include <stdlib.h>
  #include <string.h>
+ #include "secure.h"
  
  extern	char *auth_type;
  
***************
*** 128,133 ****
--- 129,136 ----
  
  off_t	restart_point;
  
+ 
+ int	cmd_enc = CMD_ENC_CLEAR;
  static	int cmd_type;
  static	int cmd_form;
  static	int cmd_bytesz;
***************
*** 233,239 ****
  		}
  	|	CCC CRLF
  		= {
! 			reply(534, "CCC not supported");
  		}
  	|	PBSZ SP STRING CRLF
  		= {
--- 236,253 ----
  		}
  	|	CCC CRLF
  		= {
!                         if (!auth_type) {
!                                 reply(503,
!                           "CCC command requires successful security exchange.");
!                         } else if (cmd_enc == CMD_ENC_MIC) {
!                                 reply(200,
!                      "Commands and data are only sent in a non-secure manner.");
!                                 cmd_enc = CMD_ENC_CLEAR;
!                         } else {
!                                 reply(533,
!                                  "Command expected to be integrity-protected.");
!                         }
! 			/* reply(534, "CCC not supported"); */
  		}
  	|	PBSZ SP STRING CRLF
  		= {
***************
*** 965,971 ****
  	if (c == EOF && cs == s)
  		return (NULL);
  	*cs++ = '\0';
! 	if (auth_type) {
  	    char out[sizeof(cbuf)], *cp;
  	    int len, mic;
  
--- 979,991 ----
  	if (c == EOF && cs == s)
  		return (NULL);
  	*cs++ = '\0';
! 	if (!strncasecmp(s, "MIC", 3))
! 		cmd_enc = CMD_ENC_MIC;
! 	else if (!strncasecmp(s, "ENC", 3))
! 		cmd_enc = CMD_ENC_ENC;
! 	else
! 		cmd_enc = CMD_ENC_CLEAR;
! 	if ((cmd_enc != CMD_ENC_CLEAR) && auth_type) {
  	    char out[sizeof(cbuf)], *cp;
  	    int len, mic;
  
***************
*** 972,977 ****
--- 992,998 ----
  	    if ((cs = strpbrk(s, " \r\n")))
  	    	*cs++ = '\0';
  	    upper(s);
+ 
  #ifdef NOCONFIDENTIAL
  	    if (!strcmp(s, "CONF")) {
  		reply(537, "CONF protected commands not supported.");
***************
*** 1073,1078 ****
--- 1094,1100 ----
  	}
  #if defined KERBEROS || defined GSSAPI	/* or other auth types */
  	else {	/* !auth_type */
+ 		if (cmd_enc != CMD_ENC_CLEAR)
  	    if ( (!(strncmp(s, "ENC", 3))) || (!(strncmp(s, "MIC", 3)))
  #ifndef NOCONFIDENTIAL
                  || (!(strncmp(s, "CONF", 4)))
>Audit-Trail:
>Unformatted:
		HP's gss api ftp does not work with MIT's gss ftpd.

home help back first fref pref prev next nref lref last post