pending/1097: ftpd does not work proerly on multi-homed host
Ali M
ali_m_000 at hotmail.com
Fri Apr 26 12:28:53 EDT 2002
>Number: 1097
>Category: pending
>Synopsis: ftpd does not get correct keytab entry on multi-homed host
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: gnats-admin
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Fri Apr 26 12:29:00 EDT 2002
>Last-Modified:
>Originator: Super-User
>Organization:
None
>Release: krb5-1.2.4
>Environment:
All
System: SunOS secsol5 5.6 Generic_105181-21 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4
>Description:
ftpd calls gethostbyname() when building the service principal name
before asking GSSAPI to get the keytab entry. If the connection
comes in on a different interface to the one reported by `hostname`
the incorrect key is read from the keytab
>How-To-Repeat:
Get a box with two or more interfaces. Geneate host key for each i/f
ftp to the interface not reported by `hostname` - you get the following...
GSSAPI accepted as authentication type
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: Wrong principal in request
GSSAPI error: accepting context
GSSAPI ADAT failed
>Fix:
See diff -c output below...
diff -c ftpd.c ftpd.c.ORIG
*** ftpd.c Fri Apr 26 17:04:55 2002
--- ftpd.c.ORIG Fri Apr 26 15:56:13 2002
***************
*** 2350,2357 ****
char service_name[MAXHOSTNAMELEN+10];
char **service;
struct hostent *hp;
- struct sockaddr_in his_addr;
- size_t address_len;
chan.initiator_addrtype = GSS_C_AF_INET;
chan.initiator_address.length = 4;
--- 2350,2355 ----
***************
*** 2372,2398 ****
tok.value = gout_buf;
tok.length = length;
! /*
! * Need to get the hostname of the interface the client has
bound to
! * (on fd 0) so that we can get the correct keytable entry
! */
!
! address_len = sizeof(his_addr);
! if (getsockname(0, (struct sockaddr *)&his_addr,
&address_len) != 0) {
! reply(501, "couldn't get locally bound socket name
(%d)\n", errno);
! syslog(LOG_ERR, "couldn't get locally bound socket
name (%d)\n", errno);
return 0;
}
!
! if (!(hp = gethostbyaddr((void *)&his_addr.sin_addr,
sizeof(his_addr.sin_addr), AF_INET))) {
reply(501, "couldn't canonicalize local
hostname\n");
syslog(LOG_ERR, "Couldn't canonicalize local
hostname");
return 0;
! }
!
! if (debug)
! syslog(LOG_DEBUG, "Using interface %s\n",
hp->h_name);
!
strncpy(localname, hp->h_name, sizeof(localname) - 1);
localname[sizeof(localname) - 1] = '\0';
--- 2370,2385 ----
tok.value = gout_buf;
tok.length = length;
! if (gethostname(localname, MAXHOSTNAMELEN)) {
! reply(501, "couldn't get local hostname (%d)\n",
errno);
! syslog(LOG_ERR, "Couldn't get local hostname (%d)",
errno);
return 0;
}
! if (!(hp = gethostbyname(localname))) {
reply(501, "couldn't canonicalize local
hostname\n");
syslog(LOG_ERR, "Couldn't canonicalize local
hostname");
return 0;
! }
strncpy(localname, hp->h_name, sizeof(localname) - 1);
localname[sizeof(localname) - 1] = '\0';
_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com
>Audit-Trail:
>Unformatted:
More information about the krb5-bugs
mailing list