[2915] in Kerberos-V5-bugs
krb5-appl/583: gssftp ftp host lookup
daemon@ATHENA.MIT.EDU (donn@u.washington.edu)
Wed Apr 22 12:52:59 1998
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, donn@u.washington.edu
Date: Wed, 22 Apr 1998 09:42:07 -0700
From: donn@u.washington.edu
Reply-To: donn@u.washington.edu
To: krb5-bugs@MIT.EDU
>Number: 583
>Category: krb5-appl
>Synopsis: ftp fails to look up actual host domain name
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Apr 22 12:43:01 EDT 1998
>Last-Modified:
>Originator: Donn Cave
>Organization:
University of Washington
>Release: 1.0.5
>Environment:
All
System: AIX melville 2 4 00600210C000
>Description:
The gssftp ftp client doesn't look up the domain name for its
connection - i.e., "reverse" lookup using gethostbyaddr().
This means that lookup is deferred to gss_import_name()
(where the lookup is courtesy of krb5_sname_to_principal()).
This deferred lookup is not reliable, in cases where the
original domain name given to the client is a DNS random
cluster of some kind and the resolution from cluster to
specific host is naturally variable. Hence, the ftp client
must look up the actual host from its IP connection.
>How-To-Repeat:
Attempt to connect via ftp to dante.u.washington.edu, or
any cluster that resolves to specific host on a variable
schedule. It's important to get this fixed in the distribution,
because large cluster sites like ours can fix the problem only
for internal connections, outside we're limited to distributing
a patch or something.
>Fix:
*** krb5-1.0.4/src/appl/gssftp/ftp/ftp.c Thu Dec 4 19:41:58 1997
--- krb5-1.0.5/src/appl/gssftp/ftp/ftp.c Wed Apr 22 09:04:54 1998
***************
*** 1841,1846 ****
--- 1841,1848 ----
#if defined(KERBEROS) || defined(GSSAPI)
u_char out_buf[FTP_BUFSIZ];
int i;
+ char realhostname[128];
+ struct hostent *hp;
#endif /* KERBEROS */
if (auth_type) return(1); /* auth already succeeded */
***************
*** 1923,1928 ****
--- 1925,1944 ----
chan.application_data.length = 0;
chan.application_data.value = 0;
+ /*
+ ** Look up actual host name, from connection IP.
+ ** Since gss_import_name() -> krb5_sname_to_principal()
+ ** will arrive at an actual name anyway, this is not a
+ ** question of whether we want the cluster name or the
+ ** actual name, but whether we want the actual name to
+ ** be the correct one.
+ */
+ hp = gethostbyaddr(&hisctladdr.sin_addr, 4, AF_INET);
+ if (hp)
+ strcpy(realhostname, hp->h_name);
+ else
+ strcpy(realhostname, hostname);
+
for (end_service_name = gss_services; *end_service_name; )
end_service_name++;
end_service_name--;
***************
*** 1937,1943 ****
/* ftp@hostname first, the host@hostname */
/* the V5 GSSAPI binding canonicalizes this for us... */
! sprintf(stbuf, "%s@%s", *service_name, hostname);
if (debug)
fprintf(stderr, "Trying to authenticate to <%s>\n", stbuf);
--- 1953,1959 ----
/* ftp@hostname first, the host@hostname */
/* the V5 GSSAPI binding canonicalizes this for us... */
! sprintf(stbuf, "%s@%s", *service_name, realhostname);
if (debug)
fprintf(stderr, "Trying to authenticate to <%s>\n", stbuf);
>Audit-Trail:
>Unformatted:
