Permalink
Browse files

merge from mainline

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/marc-3des@11000 dc483132-0cff-0310-8789-dd5450dbe970
  • Loading branch information...
1 parent 8351246 commit 2e783a6f6c751fdc0842f933ebd14a8a5f1af9bf marc committed Oct 28, 1998
@@ -52,6 +52,20 @@ AC_MSG_RESULT($krb5_cv_shadow_pwd)
if test $krb5_cv_shadow_pwd = yes; then
AC_DEFINE(HAVE_SHADOW)
fi
+AC_ARG_WITH([krb4],
+[ --without-krb4 don't include Kerberos V4 backwards compatibility
+ --with-krb4 use V4 libraries included with V5 (default)
+ --with-krb4=KRB4DIR use preinstalled V4 libraries],
+,
+withval=yes
+)dnl
+if test $withval = no; then
+ AC_MSG_RESULT(no krb4 support)
+else
+ AC_MSG_RESULT(Adding in krb4 support)
+ FTPD_LIBS="../../../krb524/libkrb524.a"
+fi
+AC_SUBST(FTPD_LIBS)
dnl
dnl
dnl
@@ -5,6 +5,15 @@
(do_auth): Try the new krb5 mech, and if that fails, try the
old one.
+1998-10-26 Geoffrey King <gjking@mit.edu>
+
+ * ftp.M: Add documentation for new ccc and cprotect commands.
+ Also, add previously omitted command line options -u and -t and
+ "passive" command to the man page.
+
+ * main.c (main): Print out a usage message instead of just
+ "unknown option."
+
Fri Oct 2 16:16:13 1998 Theodore Y. Ts'o <tytso@mit.edu>
* cmdtab.c: Update help message for passive mode so that it
View
@@ -37,7 +37,7 @@ ftp \- ARPANET file transfer program
.SH SYNOPSIS
.B ftp
[\fB\-v\fP] [\fB\-d\fP] [\fB\-i\fP] [\fB\-n\fP] [\fB\-g\fP] [\fB\-k\fP
-\fIrealm\fP] [\fB\-f\fP] [\fB\-x\fP] [\fIhost\fP]
+\fIrealm\fP] [\fB\-f\fP] [\fB\-x\fP] [\fB\-u\fP] [\fB\-t\fP] [\fIhost\fP]
.SH DESCRIPTION
.B FTP
is the user interface to the
@@ -57,8 +57,23 @@ transfer statistics.
.B \-n
Restrains
.B ftp
-from attempting ``auto-login'' upon initial connection. If
-auto-login is enabled,
+from attempting ``auto-login'' upon initial connection. If auto-login
+is enabled,
+.B ftp
+will check the
+.I .netrc
+(see below) file in the user's home directory for an entry describing an
+account on the remote machine. If no entry exists,
+.B ftp
+will prompt for the remote machine login name (default is the user
+identity on the local machine), and, if necessary, prompt for a password
+and an account with which to login.
+.TP
+.B \-u
+Restrains
+.B ftp
+from attempting ``auto-authentication'' upon initial connection. If
+auto-authentication is enabled,
.B ftp
attempts to authenticate to the
.SM FTP
@@ -68,16 +83,7 @@ command, using whichever authentication types are locally supported.
Once an authentication type is accepted, an authentication protocol
will proceed by issuing
.SM ADAT
-commands.
-.B ftp
-then will check the
-.I .netrc
-(see below) file in the user's home directory for an entry describing an
-account on the remote machine. If no entry exists,
-.B ftp
-will prompt for the remote machine login name (default is the user
-identity on the local machine), and, if necessary, prompt for a password
-and an account with which to login.
+commands. This option also disables auto-login.
.TP
.B \-i
Turns off interactive prompting during multiple file transfers.
@@ -96,8 +102,12 @@ When using Kerberos v4 authentication, gets tickets in
Causes credentials to be forwarded to the remote host.
.TP
.B \-x
-Causes the client to attempt to negotiate encryption (protection level
-`private') immediately after successfully authenticating.
+Causes the client to attempt to negotiate encryption (data and command
+protection levels ``private'') immediately after successfully
+authenticating.
+.TP
+.B \-t
+Enables packet tracing.
.SH COMMANDS
The client host with which
.B ftp
@@ -181,6 +191,15 @@ is on (default is off), remote computer file names with all letters in
upper case are written in the local directory with the letters mapped to
lower case.
.TP
+.B ccc
+Turn off integrity protection on the command channel. This command
+must be sent integrity protected, and must be proceeded by a successful
+.SM ADAT
+command. Since turning off integrity protection potentially
+allows an attacker to insert commands onto the command channel, some
+.SM FTP
+servers may refuse to honor this command.
+.TP
\fBcd\fP \fIremote-directory\fP
Change the working directory on the remote machine to
.IR remote-directory .
@@ -206,6 +225,22 @@ Terminate the
session with the remote server, and return to the command interpreter.
Any defined macros are erased.
.TP
+\fBcprotect\fP [\fIprotection-level\fP]
+Set the protection level on commands to
+.IR protection-level .
+The valid protection levels are ``clear'' for unprotected commands,
+``safe'' for commands integrity protected by
+cryptographic checksum, and ``private'' for commands
+confidentiality and integrity protected by encryption. If an
+.SM ADAT
+command succeeded, then the default command protection level is
+``safe'', otherwise the only possible level is ``clear''. If no
+level is specified, the current level is printed.
+.B cprotect clear
+is equivalent to the
+.B ccc
+command.
+.TP
.B cr
Toggle carriage return stripping during ascii type file retrieval.
Records are denoted by a carriage return/linefeed sequence during ascii
@@ -560,7 +595,7 @@ server. An optional port number may be supplied, in which case,
will attempt to contact an
.SM FTP
server at that port. If the
-.B auto-login
+.B auto-authenticate
option is on (default),
.B ftp
will attempt to authenticate to the
@@ -571,7 +606,9 @@ command, using whichever authentication types which are locally
supported. Once an authentication type is accepted, an authentication
protocol will proceed by issuing
.SM ADAT
-commands.
+commands. If the
+.B auto-login
+option is on (default),
.B ftp
will also attempt to automatically log the user in to the
.SM FTP
@@ -581,6 +618,12 @@ option is specified,
.B ftp
will forward a copy of the user's Kerberos tickets to the remote host.
.TP
+.B passive
+Toggle passive data transfer mode. In passive mode, the client initiates
+the data connection by listening on the data port. Passive mode may
+be necessary for operation from behind firewalls which do not permit
+incoming connections.
+.TP
.B private
Set the protection level on data transfers to ``private''. Data
transmissions are confidentiality and integrity protected by encryption.
View
@@ -86,6 +86,7 @@ main(argc, argv)
int top;
struct passwd *pw = NULL;
char homedir[MAXPATHLEN];
+ char *progname = argv[0];
sp = getservbyname("ftp", "tcp");
if (sp == 0) {
@@ -147,10 +148,9 @@ main(argc, argv)
doglob = 0;
break;
-
case 'u':
- autoauth = 0;
- break;
+ autoauth = 0;
+ break;
case 'f':
forward = 1;
@@ -160,11 +160,13 @@ main(argc, argv)
autoencrypt = 1;
break;
-
default:
- fprintf(stdout,
+ fprintf(stderr,
"ftp: %c: unknown option\n", *cp);
- exit(1);
+ fprintf(stderr, "Usage: %s [-v] [-d] [-i] [-n] [-g] "
+ "[-k realm] [-f] [-x] [-u] [-t] [host]\n",
+ progname);
+ exit(1);
}
nextopt:
argc--, argv++;
@@ -1,3 +1,41 @@
+Mon Oct 26 13:46:47 1998 Dan Winship <danw@mit.edu>
+
+ * ftpd.c (main): Add -A (require authentication, but not
+ necessarily authorization) and -C (user wants local credentials).
+
+ (user): Implement -A. Reorganize code a bit. If want_creds (-C) is
+ set, require a password even if authorization succeeds.
+
+ (kpass): Add krb5 ticket-getting code too. If want_creds is set,
+ don't destroy the tickets after verifying the Kerberos password.
+
+ (pass): Check krb password before local password, so we can
+ get credentials if we need them. Ignore local password if
+ want_creds is set. In case of "too many failed login attempts",
+ exit via dologout() instead of exit() so on-disk credentials are
+ destroyed.
+
+ (auth_data): If user forwards GSSAPI creds and want_creds is set,
+ write them out to a krb5 ccache. If doing krb4 compat, convert
+ them to krb4 tickets as well. (If want_creds is not set, smile and
+ nod at the user and then destroy the creds.)
+
+ (end_login): If the user has creds on disk, destroy them.
+ (dologout): If the user has creds on disk, destroy them.
+
+ * ftpd.M: Add -A and -C.
+
+Fri Oct 23 18:18:52 1998 Theodore Y. Ts'o <tytso@mit.edu>
+
+ * ftpd.c (pass): Wait 5 seconds before returning "password
+ incorrect", and only allow three bad passwords. Then
+ return an 421 reply code before closing the connection and
+ going away.
+
+ * ftpcmd.y (cmd): Don't allow the PORT command to accept a port
+ number lower than 1024; this prevents some nasty ftp
+ "bounce attacks" to SMTP ports, etc.
+
Tue Oct 20 16:29:46 1998 Dan Winship <danw@mit.edu>
* ftpd.M: Reality check. Add -a to synopsis, document -c and -u
@@ -11,6 +11,7 @@ SETENVSRC=@SETENVSRC@
SETENVOBJ=@SETENVOBJ@
LIBOBJS=@LIBOBJS@
COMERRLIB=$(BUILDTOP)/util/et/libcom_err.a
+FTPD_LIBS=@FTPD_LIBS@
SRCS = $(srcdir)/ftpd.c ftpcmd.c $(srcdir)/logwtmp.c $(srcdir)/popen.c \
$(srcdir)/vers.c \
@@ -28,7 +29,7 @@ DEFINES = -DGSSAPI -DNOCONFIDENTIAL
all:: ftpd
ftpd: $(OBJS) $(GSS_DEPLIBS) $(UTIL_DEPLIB) $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o $@ $(OBJS) $(GSS_LIBS) $(UTIL_LIB) $(KRB4COMPAT_LIBS)
+ $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(GSS_LIBS) $(UTIL_LIB) $(KRB4COMPAT_LIBS)
clean::
$(RM) ftpd ftpcmd.c
@@ -107,6 +107,8 @@ extern gss_ctx_id_t gcontext;
#endif
#endif
+static struct sockaddr_in host_port;
+
extern struct sockaddr_in data_dest;
extern int logged_in;
extern struct passwd *pw;
@@ -217,12 +219,22 @@ cmd: USER SP username CRLF
}
| PORT SP host_port CRLF
= {
- usedefault = 0;
- if (pdata >= 0) {
- (void) close(pdata);
- pdata = -1;
+ /*
+ * Don't allow a port < 1024 if we're not
+ * connecting back to the original source address
+ * This prevents nastier forms of the bounce attack.
+ */
+ if (ntohs(host_port.sin_port) < 1024)
+ reply(504, "Port number too low");
+ else {
+ data_dest = host_port;
+ usedefault = 0;
+ if (pdata >= 0) {
+ (void) close(pdata);
+ pdata = -1;
+ }
+ reply(200, "PORT command successful.");
}
- reply(200, "PORT command successful.");
}
| PASV check_login CRLF
= {
@@ -674,11 +686,11 @@ host_port: NUMBER COMMA NUMBER COMMA NUMBER COMMA NUMBER COMMA
= {
register char *a, *p;
- a = (char *)&data_dest.sin_addr;
+ a = (char *)&host_port.sin_addr;
a[0] = $1; a[1] = $3; a[2] = $5; a[3] = $7;
- p = (char *)&data_dest.sin_port;
+ p = (char *)&host_port.sin_port;
p[0] = $9; p[1] = $11;
- data_dest.sin_family = AF_INET;
+ host_port.sin_family = AF_INET;
}
;
@@ -39,7 +39,7 @@
Internet File Transfer Protocol server
.SH SYNOPSIS
.B ftpd
-[\fB\-a\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB\-l\fP]
+[\fB\-a \fP|\fB -A\fP] [\fB\-c\fP] [\fB\-C\fP] [\fB\-d\fP] [\fB\-l\fP]
[\fB\-t\fP \fItimeout\fP] [\fB\-T\fP \fImaxtimeout\fP]
[\fB\-p\fP \fIport\fP] [\fB\-u\fP \fIumask\fP]
[\fB\-r\fP \fIrealm-file\fP] [\fB\-s\fP \fIsrvtab\fP]
@@ -55,8 +55,22 @@ specification; see
.PP
Available options:
.TP
+.B \-A
+Connections are only allowed for users who can authenticate via the
+ftp AUTH mechanism. (Anonymous ftp may also be allowed if it is
+configured.) Ftpd will ask the user for a password if one is
+required.
+.TP
.B \-a
-Only permit Kerberos-authenticated or anonymous logins.
+Connections are only allowed for users who can authenticate (via the
+ftp AUTH mechanism) and who are authorized to connect to the named
+account without a password. (Anonymous ftp may also be allowed if it is
+configured.)
+.TP
+.B \-C
+Non-anonymous users need local credentials (for example, to authenticate
+to remote fileservers), and so they should be prompted for a password
+unless they forwarded credentials as part of authentication.
.TP
.B \-c
Allow the CCC (Clear Command Channel) command to be used. This allows
@@ -95,14 +109,14 @@ Sets the umask for the ftpd process. The default value is normally 027.
\fB\-r\fP \fIrealm-file\fP
Sets the name of the
.I krb.conf
-file to use. The default value is normally
-.IR /usr/kerberos/lib/krb.conf .
+file to use. The default value is normally set by
+.IR /etc/krb5.conf .
.TP
\fB\-s\fP \fIsrvtab\fP
Sets the name of the
.I srvtab
-file to use. The default value is normally
-.IR /etc/krb5.keytab .
+file to use for Kerberos V4 authentication. The default value is normally
+.IR /etc/srvtab .
.PP
The ftp server currently supports the following ftp requests; case is
not distinguished.
Oops, something went wrong.

0 comments on commit 2e783a6

Please sign in to comment.