[16103] in Athena Bugs
Athena 8.2 ftpd bug
daemon@ATHENA.MIT.EDU (Miro Jurisic)
Wed Aug 5 22:47:32 1998
Date: Wed, 5 Aug 1998 22:39:09 -0400
To: bugs@MIT.EDU, davie@MIT.EDU
From: Miro Jurisic <meeroh@MIT.EDU>
When I attempt to connect to my 8.2 machine using FTP with GSSAPI security
with forwardable credentials, I get the following:
503 Must identify AUTH type before ADAT
AUTH GSSAPI
334 Using authentication type GSSAPI; ADAT must follow
ADAT [SNIP]
235 ADAT=[SNIP]
USER meeroh
232 GSSAPI user meeroh@ATHENA.MIT.EDU is authorized as meeroh
PBSZ 8192
200 PBSZ=8192
PROT P
200 Protection level set to Private (Encrypted).
SYST
215 UNIX Type: L8
PWD
530 Please login with USER and PASS.
This is bogus. The Athena 8.2 ftp client sends a dummy password to the
server to circumbet this problem. However, looking at the FTP security
extensions RFC (<http://web.mit.edu/rfc/rfc2228.txt>), Section 9, should be
sufficient to convince you that the authentication sequence that my client
trasmitted is valid and should have been sufficient to authenticate me and
log me in.
tlyu tells me that the problem is that the ftpd keeps a global to indicate
when the user has been logged in, and the global is only set to true after
the client sends USER and PASS.
Afaik, danw kludged this on the dialups so that credential delegation is
now conviniently useless (as it was in 8.1).
Obviously, however this is fixed, the behavior in the case when the client
_does_ transmit a dummy password should not be broken...
Hth,
meeroh
meeroh@mit.edu | <http://www.mit.edu/people/meeroh/> | MIT I/S Mac developer
The most exciting phrase to hear in science, the one that heralds new
discoveries, is not "Eureka!" (I found it!) but "That's funny ..." -- Isaac
Asimov
