[3128] in Kerberos-V5-bugs
krb5-appl/765: ftp gets credentials for wrong host in DNS cluster
daemon@ATHENA.MIT.EDU (donn@u.washington.edu)
Tue Oct 5 18:19:24 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, donn@u.washington.edu
Message-Id: <199910052217.PAA21716@saul8.u.washington.edu>
Date: Tue, 5 Oct 1999 15:17:58 -0700 (PDT)
From: donn@u.washington.edu
Reply-To: donn@u.washington.edu
To: krb5-bugs@MIT.EDU
>Number: 765
>Category: krb5-appl
>Synopsis: ftp gets ticket for wrong host in DNS cluster
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Oct 05 18:19:01 EDT 1999
>Last-Modified:
>Originator: Donn Cave
>Organization:
University Computing Services
University of Washington
>Release: krb5-1.1
>Environment:
System: AIX 4.2
Machine: RS/6000
>Description:
Ftp connects to one host and gets service ticket for another host,
in DNS cluster where user specifies cluster and DNS returns a specific
host name. The user's notion of the host name is submitted to the gss
layer, where it's resolved again with a randomly different value.
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: Wrong principal in request
>How-To-Repeat:
Connect to dante.u.washington.edu, note that ftpd says "220 dante07 FTP
server ...". Note subsequent error and failure to authenticate, and
use klist to see tickets actually acquired. (Substitute some similar
cluster where you have an account.)
>Fix:
*** appl/gssftp/ftp/ftp.c.dist Thu Sep 23 15:40:15 1999
--- appl/gssftp/ftp/ftp.c Tue Oct 5 09:42:43 1999
***************
*** 1899,1904 ****
--- 1899,1906 ----
#if defined(KRB5_KRB4_COMPAT) || defined(GSSAPI)
u_char out_buf[FTP_BUFSIZ];
int i;
+ char realhostname[128];
+ struct hostent *hp;
#endif /* KRB5_KRB4_COMPAT */
if (auth_type) return(1); /* auth already succeeded */
***************
*** 1921,1926 ****
--- 1923,1943 ----
chan.acceptor_address.value = &hisctladdr.sin_addr.s_addr;
chan.application_data.length = 0;
chan.application_data.value = 0;
+
+ /*
+ ** Look up actual host name, from connection IP.
+ ** Since gss_import_name() -> krb5_sname_to_principal()
+ ** will arrive at an actual name anyway, this is not a
+ ** question of whether we want the cluster name or the
+ ** actual name, but whether we want the actual name to
+ ** be the same one in both places, here and in the gss/krb5
+ ** layers. Since we do want that, resolve it here.
+ */
+ hp = gethostbyaddr(&hisctladdr.sin_addr, 4, AF_INET);
+ if (hp)
+ strcpy(realhostname, hp->h_name);
+ else
+ strcpy(realhostname, hostname);
if (verbose)
printf("GSSAPI accepted as authentication type\n");
***************
*** 1930,1936 ****
for (trial = 0; trial < n_gss_trials; trial++) {
/* ftp@hostname first, the host@hostname */
/* the V5 GSSAPI binding canonicalizes this for us... */
! sprintf(stbuf, "%s@%s", gss_trials[trial].service_name, hostname);
if (debug)
fprintf(stderr, "Trying to authenticate to <%s>\n", stbuf);
--- 1947,1953 ----
for (trial = 0; trial < n_gss_trials; trial++) {
/* ftp@hostname first, the host@hostname */
/* the V5 GSSAPI binding canonicalizes this for us... */
! sprintf(stbuf, "%s@%s", gss_trials[trial].service_name, realhostname);
if (debug)
fprintf(stderr, "Trying to authenticate to <%s>\n", stbuf);
>Audit-Trail:
>Unformatted:
