diff options
author | Geoffrey King <gjking@mit.edu> | 1998-08-29 00:03:22 +0000 |
---|---|---|
committer | Geoffrey King <gjking@mit.edu> | 1998-08-29 00:03:22 +0000 |
commit | 89ccebdaf6de86e4f1cced0963f90f379d0b79dc (patch) | |
tree | 22cce8e29c8b624aa9243e55619a065f5c6c9367 /src/appl | |
parent | c57d45f6bd9447e2b8912e24252d48c521deeed7 (diff) | |
download | krb5-89ccebdaf6de86e4f1cced0963f90f379d0b79dc.tar.gz krb5-89ccebdaf6de86e4f1cced0963f90f379d0b79dc.tar.xz krb5-89ccebdaf6de86e4f1cced0963f90f379d0b79dc.zip |
* ftpd.c (login): New function. Essentially, the old pass
function has been split into its two logical components, pass and
login.
(pass): If auth_ok is true, reply with code 202 to tell the
user that a PASS command is not necessary. Also, don't reply
230 "User logged in" if the user didn't send a PASS command;
this causes the client to get a bit confused.
(auth_ok): New function that returns true if either gss_ok or
kerb_ok is true (all the #ifdefs were beginning to clutter things,
and it's a good abstraction in case other auth types are ever
added in the future).
(user): If GSSAPI or Kerberos v4 authentication succeeds, call
login immediately, instead of waiting for the client to send "PASS
dummy." Also, use #ifdef PARANOID instead of "some paranoid sites
may wish to uncomment this"
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10899 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/appl')
-rw-r--r-- | src/appl/gssftp/ftpd/ChangeLog | 18 | ||||
-rw-r--r-- | src/appl/gssftp/ftpd/ftpd.c | 77 |
2 files changed, 74 insertions, 21 deletions
diff --git a/src/appl/gssftp/ftpd/ChangeLog b/src/appl/gssftp/ftpd/ChangeLog index 21703b132..6aa6a2323 100644 --- a/src/appl/gssftp/ftpd/ChangeLog +++ b/src/appl/gssftp/ftpd/ChangeLog @@ -1,3 +1,21 @@ +1998-08-28 Geoffrey King <gjking@mit.edu> + + * ftpd.c (login): New function. Essentially, the old pass + function has been split into its two logical components, pass and + login. + (pass): If auth_ok is true, reply with code 202 to tell the + user that a PASS command is not necessary. Also, don't reply + 230 "User logged in" if the user didn't send a PASS command; + this causes the client to get a bit confused. + (auth_ok): New function that returns true if either gss_ok or + kerb_ok is true (all the #ifdefs were beginning to clutter things, + and it's a good abstraction in case other auth types are ever + added in the future). + (user): If GSSAPI or Kerberos v4 authentication succeeds, call + login immediately, instead of waiting for the client to send "PASS + dummy." Also, use #ifdef PARANOID instead of "some paranoid sites + may wish to uncomment this" + Wed Aug 19 06:47:46 1998 Geoffrey King <gjking@mit.edu> * ftpd.c: Add a new command line option, -c, which tells the diff --git a/src/appl/gssftp/ftpd/ftpd.c b/src/appl/gssftp/ftpd/ftpd.c index 19d72fa53..7741eac84 100644 --- a/src/appl/gssftp/ftpd/ftpd.c +++ b/src/appl/gssftp/ftpd/ftpd.c @@ -618,14 +618,16 @@ user(name) char *getusershell(); #endif - /* Some paranoid sites may want the client to authenticate - * before accepting the USER command. If so, uncomment this: - +#ifdef PARANOID + /* + * Some paranoid sites may want the client to authenticate + * before accepting the USER command. + */ if (!auth_type) { reply(530, "Must perform authentication before identifying USER."); return; - */ +#endif if (logged_in) { if (guest) { reply(530, "Can't change user from guest login."); @@ -688,6 +690,10 @@ user(name) /* 232 is per draft-8, but why 331 not 53z? */ reply(gss_ok ? 232 : 331, "%s", buf); syslog(gss_ok ? LOG_INFO : LOG_ERR, "%s", buf); + if (gss_ok) { + login((char *) NULL); + return; + } } else #endif /* GSSAPI */ #ifdef KRB5_KRB4_COMPAT @@ -710,6 +716,10 @@ user(name) name, kerb_ok ? "" : "; Password required."); reply(kerb_ok ? 232 : 331, "%s", buf); syslog(kerb_ok ? LOG_INFO : LOG_ERR, "%s", buf); + if (kerb_ok) { + login((char *) NULL); + return; + } } else #endif /* KRB5_KRB4_COMPAT */ /* Other auth types go here ... */ @@ -724,6 +734,7 @@ user(name) return; } else reply(331, "Password required for %s.", name); + askpasswd = 1; /* * Delay before reading passwd after first failed @@ -829,19 +840,18 @@ pass(passwd) { char *xpasswd, *salt; - if (logged_in || askpasswd == 0) { - reply(503, "Login with USER first."); + if (auth_ok()) { + reply(202, "PASS command superfluous."); return; } - askpasswd = 0; - if ( -#ifdef KRB5_KRB4_COMPAT - !kerb_ok && -#endif /* KRB5_KRB4_COMPAT */ -#ifdef GSSAPI - !gss_ok && -#endif /* GSSAPI */ - !guest) { /* "ftp" is only account allowed no password */ + + if (logged_in || askpasswd == 0) { + reply(503, "Login with USER first."); + return; + } + + if (!auth_ok() && !guest) { + /* "ftp" is only account allowed no password */ if (pw == NULL) salt = "xx"; else @@ -857,12 +867,13 @@ pass(passwd) if (pw == NULL || (*pw->pw_passwd && strcmp(xpasswd, pw->pw_passwd) && !kpass(pw->pw_name, passwd)) || - (!*pw->pw_passwd && !kpass(pw->pw_name, passwd))) { + (!*pw->pw_passwd && !kpass(pw->pw_name, passwd))) #else /* The strcmp does not catch null passwords! */ if (pw == NULL || *pw->pw_passwd == '\0' || - strcmp(xpasswd, pw->pw_passwd)) { + strcmp(xpasswd, pw->pw_passwd)) #endif /* KRB5_KRB4_COMPAT */ + { reply(530, "Login incorrect."); pw = NULL; if (login_attempts++ >= 5) { @@ -872,20 +883,28 @@ pass(passwd) exit(0); } return; - } + } } login_attempts = 0; /* this time successful */ + + login(passwd); + return; +} + +login(passwd) + char *passwd; +{ (void) krb5_setegid((gid_t)pw->pw_gid); (void) initgroups(pw->pw_name, pw->pw_gid); /* open wtmp before chroot */ - (void)sprintf(ttyline, "ftp%d", getpid()); + (void) sprintf(ttyline, "ftp%d", getpid()); ftp_logwtmp(ttyline, pw->pw_name, remotehost); logged_in = 1; if (guest) { if (chroot(pw->pw_dir) < 0) { - reply(550, "Can't set guest priveleges."); + reply(550, "Can't set guest privileges."); goto bad; } } @@ -925,7 +944,10 @@ pass(passwd) syslog(LOG_INFO, "ANONYMOUS FTP LOGIN FROM %s, %s", remotehost, passwd); } else { - reply(230, "User %s logged in.", pw->pw_name); + if (askpasswd) { + askpasswd = 0; + reply(230, "User %s logged in.", pw->pw_name); + } #ifdef SETPROCTITLE sprintf(proctitle, "%s: %s", remotehost, pw->pw_name); setproctitle(proctitle); @@ -2367,6 +2389,18 @@ data_err: pdata = -1; } +int auth_ok(void) +{ + return(0 +#ifdef KRB5_KRB4_COMPAT + || kerb_ok +#endif /* KRB5_KRB4_COMPAT */ +#ifdef GSSAPI + || gss_ok +#endif /* GSSAPI */ + ); +} + #ifdef SETPROCTITLE /* * clobber argv so ps will show what we're doing. @@ -2479,3 +2513,4 @@ ftpd_userok(client_name, name) return retval; } #endif /* GSSAPI */ + |