gssapi and CCC command

[Marc Horowitz]

I haven't looked at the MIT code in a long time, but I just took a
quick glance, and it looks like either the username is invalid, or the
initial password request fails.  If you can look at the kdc logs, find
out if the AS-REQ is really succeeding.

I also have to mention that using CCC isn't a very good idea.  It was
defined and implemented at a time when the Internet was a less hostile
place, and when US export laws were still very relevant.  It's an
especially bad idea to transmit the password in the clear, as you seem
to be attempting to do.  Today, I would recommend implementing the
full spec, it's a lot more secure that way.

                Marc

glen at montreal.hcl.com ("Glen Matthews") writes:

>> Hi,
>> 
>>   i'm writing an ftp client using the gssapi with kerberos, and am somewhat
>> puzzled by the CCC command behaviour.
>> 
>>   basically, when i enable clear channel commands using CCC, it is accepted
>> with a 200-level message. i can enter various commands (notably PBSZ, PROT -
>> these seem to work ok). however, when i try to enter something else (like a
>> pwd) i get a 500 level message requiring a login before commands. ok. that
>> sort of fits - without enabling CCC, i need to send a login (encrypted) and
>> i get back a message stating that i've been authenticated.
>> 
>>   when i try to issue a user command, i get this:
>> 
>> 331 GSSAPI user "xxx at REALM" is not authorized as "xxx"; Password required
>> 
>> which is fine - "xxx at REALM" is the kerberos principal logging in, and xxx is
>> the userid on the target system. when the pass command is issued (with the
>> correct password even), i get 530 login incorrect.
>> 
>> any ideas? is this a config problem with the kerberized ftpd? or a problem
>> implementing the security protocol?
>> 
>> glen
>> 
>> 
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/kerberos