merge athena ftpd changes for requiring encrypted passwords

	* ftpcmd.y (getline): Merge Athena change to reject MICed
	password.

	* ftpd.M: Document '-E'.

	* ftpd.c (main): Merge Athena's '-E' changes to prohibit
	unencrypted passwords.

ticket: new
target_version: 1.4
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16857 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 35 insertions, 4 deletions

diff --git a/src/appl/gssftp/ftpd/ChangeLog b/src/appl/gssftp/ftpd/ChangeLog
index 6ead450fc..58fab439b 100644
--- a/src/appl/gssftp/ftpd/ChangeLog
+++ b/src/appl/gssftp/ftpd/ChangeLog
@@ -1,3 +1,13 @@
+2004-11-03  Tom Yu  <tlyu@mit.edu>
+
+	* ftpcmd.y (getline): Merge Athena change to reject MICed
+	password.
+
+	* ftpd.M: Document '-E'.
+
+	* ftpd.c (main): Merge Athena's '-E' changes to prohibit
+	unencrypted passwords.
+
 2004-09-22  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in (ftpd): Use UTIL_LIB.
diff --git a/src/appl/gssftp/ftpd/ftpcmd.y b/src/appl/gssftp/ftpd/ftpcmd.y
index db50d5bfb..bb6bbcdde 100644
--- a/src/appl/gssftp/ftpd/ftpcmd.y
+++ b/src/appl/gssftp/ftpd/ftpcmd.y
@@ -124,6 +124,7 @@ extern	int ccc_ok;
 extern	int timeout;
 extern	int maxtimeout;
 extern  int pdata;
+extern	int authlevel;
 extern	char hostname[], remotehost[];
 extern	char proctitle[];
 extern	char *globerr;
@@ -1150,6 +1151,18 @@ getline(s, n, iop)
 	    }
 #endif /* GSSAPI */
 	    /* Other auth types go here ... */
+
+	    /* A password should never be MICed, but the CNS ftp
+	     * client and the pre-6/98 Krb5 client did this if you
+	     * authenticated but didn't encrypt.
+	     */
+	    if (authlevel && mic && !strncmp(s, "PASS", 4)) {
+	    	lreply(530, "There is a problem with your ftp client. Password refused.");
+		reply(530, "Enable encryption before logging in, or update your ftp program.");
+		*s = 0;
+		return s;
+	    }
+
 	}
 #if defined KRB5_KRB4_COMPAT || defined GSSAPI	/* or other auth types */
 	else {	/* !auth_type */
diff --git a/src/appl/gssftp/ftpd/ftpd.M b/src/appl/gssftp/ftpd/ftpd.M
index dc75e9b8d..b26a4bd94 100644
--- a/src/appl/gssftp/ftpd/ftpd.M
+++ b/src/appl/gssftp/ftpd/ftpd.M
@@ -36,8 +36,8 @@
 ftpd \- DARPA Internet File Transfer Protocol server
 .SH SYNOPSIS
 .B ftpd
-[\fB\-A \fP|\fB -a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB\-l\fP]
-[\fB\-v\fP] [\fB\-T\fP \fImaxtimeout\fP] [\fB\-t\fP \fItimeout\fP]
+[\fB\-A \fP|\fB -a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB-E\fP]
+[\fB\-l\fP] [\fB\-v\fP] [\fB\-T\fP \fImaxtimeout\fP] [\fB\-t\fP \fItimeout\fP]
 [\fB\-p\fP \fIport\fP] [\fB\-U\fP \fIftpusers-file\fP] [\fB\-u\fP \fIumask\fP]
 [\fB\-r\fP \fIrealm-file\fP] [\fB\-s\fP \fIsrvtab\fP]
 [\fB\-w\fP{\fBip\fP|\fImaxhostlen\fP[\fB,\fP{\fBstriplocal\fP|\fBnostriplocal\fP}]}]
@@ -77,6 +77,9 @@ less secure connections, and should probably only be used when debugging.
 .B \-d
 Debugging information is written to the syslog.  (Identical to -v)
 .TP
+.B \-E
+Don't allow passwords to be typed across unencrypted connections.
+.TP
 .B \-l
 Each
 .IR ftp (1)
diff --git a/src/appl/gssftp/ftpd/ftpd.c b/src/appl/gssftp/ftpd/ftpd.c
index 6048278d7..4e3ef9064 100644
--- a/src/appl/gssftp/ftpd/ftpd.c
+++ b/src/appl/gssftp/ftpd/ftpd.c
@@ -293,9 +293,9 @@ main(argc, argv, envp)
 	extern char *optarg;
 	extern int optopt;
 #ifdef KRB5_KRB4_COMPAT
-	char *option_string = "AaCcdlp:r:s:T:t:U:u:vw:";
+	char *option_string = "AaCcdElp:r:s:T:t:U:u:vw:";
 #else /* !KRB5_KRB4_COMPAT */
-	char *option_string = "AaCcdlp:r:T:t:U:u:vw:";
+	char *option_string = "AaCcdElp:r:T:t:U:u:vw:";
 #endif /* KRB5_KRB4_COMPAT */
 	ftpusers = _PATH_FTPUSERS_DEFAULT;
 
@@ -328,6 +328,11 @@ main(argc, argv, envp)
 			debug = 1;
 			break;
 
+		case 'E':
+			if (!authlevel)
+				authlevel = AUTHLEVEL_AUTHENTICATE;
+			break;
+
 		case 'l':
 			logging ++;
 			break;