ange-ftp - bad parsing of server response
Trond Eivind Glomsrød
not to your local site managers!!
Please write in English, because the Emacs maintainers do not have
translators to read other languages for them.
In GNU Emacs 20.6.1 (i386-redhat-linux-gnu, X toolkit)
of Wed May 3 2000 on hoser.devel.redhat.com
configured using `configure --prefix=/usr --libexecdir=/usr/lib --sharedstatedir=/var --with-gcc --with-pop --with-x-toolkit i386-redhat-linux-gnu'
Please describe exactly what actions triggered the bug
and the precise symptoms of the bug:
Platform: Red Hat Linux 6,2 with kerberos packages installed
When krb-workstation is installed, a ftp client with kerberos support
is used. This will try to use kerberos as the first authentication
method:
[teg@hoser i386]$ ftp hoser
Connected to hoser.devel.redhat.com.
220 hoser.devel.redhat.com FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (hoser:teg): testit
331 Password required for testit.
Password:
230 User testit logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
As you can see, you get a 530 response before being asked for a
user/password combo. The problem is that ange-ftp treats this as a
fatal error - this is the way the ftp buffer looks:
ftp> open hoser
Connected to hoser.devel.redhat.com.
220 hoser.devel.redhat.com FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.
user "testit" Turtle Power!
530 Please login with USER and PASS.
It treats this 530 as "oops - bad password" when it's only a login request.
Recent messages:
Checking new news...done
Mark set
Mark saved where search started
Beginning of buffer [5 times]
Mark set
Making completion list...
Quit
Loading emacsbug...
Loading emacsbug...done
--
Trond Eivind Glomsrød
Red Hat, Inc.
Eric Marsden
teg> Connected to hoser.devel.redhat.com.
teg> 220 hoser.devel.redhat.com FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.
teg> user "testit" Turtle Power!
teg> 530 Please login with USER and PASS.
teg>
teg> It treats this 530 as "oops - bad password" when it's only a
teg> login request.
RFC959 states that a 53x reply status is a "permanent negative
completion reply" in the authentication and accounting category, and
that "The User-process is discouraged from repeating the exact request
(in the same sequence)".
My interpretation is that you should submit a bug report for the ftp
daemon.
--
Eric Marsden <URL:http://www.laas.fr/~emarsden>
Ehud Karni
>
> >>>>> "teg" == Trond Eivind Glomsrרd <t...@redhat.com> writes:
>
> teg> Connected to hoser.devel.redhat.com.
> teg> 220 hoser.devel.redhat.com FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.
> teg> user "testit" Turtle Power!
> teg> 530 Please login with USER and PASS.
> teg>
> teg> It treats this 530 as "oops - bad password" when it's only a
> teg> login request.
>
> RFC959 states that a 53x reply status is a "permanent negative
> completion reply" in the authentication and accounting category, and
> that "The User-process is discouraged from repeating the exact request
> (in the same sequence)".
>
> My interpretation is that you should submit a bug report for the ftp
> daemon.
Even if it is the ftp daemon bug, if the ange-ftp can be made more
tolerant and ignore this message, it should be done. In this case I
don't think it can be done (at least not easily) because the 530
message is "Login incorrect" in (most ?) other ftp daemons.
Ehud.
--
@@@@@@ @@@ @@@@@@ @ @ Ehud Karni Simon & Wiesel Insurance agency
@ @ @ @@ @ Tel: +972-3-6212-757 Fax: +972-3-6292-544
@ @ @ @ @ @@ (USA) Fax and voice mail: 1-815-5509341
@ @ @ @ @ @ Better Safe Than Sorry
http://www.simonwiesel.co.il mailto:eh...@unix.simonwiesel.co.il
Trond Eivind Glomsrød
> On 04 May 2000 10:16:00 +0200, Eric Marsden <emar...@mail.dotcom.fr> wrote:
> >
> > >>>>> "teg" == Trond Eivind Glomsrרd <t...@redhat.com> writes:
> >
> > teg> Connected to hoser.devel.redhat.com.
> > teg> 220 hoser.devel.redhat.com FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.
> > teg> user "testit" Turtle Power!
> > teg> 530 Please login with USER and PASS.
> > teg>
> > teg> It treats this 530 as "oops - bad password" when it's only a
> > teg> login request.
> >
> > RFC959 states that a 53x reply status is a "permanent negative
> > completion reply" in the authentication and accounting category, and
> > that "The User-process is discouraged from repeating the exact request
> > (in the same sequence)".
> >
> > My interpretation is that you should submit a bug report for the ftp
> > daemon.
My interpretation is that the client is discouraged from trying the
Kerberos authentication attempt again, but is free to try other things
(like the ordinary user/password mechanism)
> Even if it is the ftp daemon bug, if the ange-ftp can be made more
> tolerant and ignore this message, it should be done. In this case I
> don't think it can be done (at least not easily) because the 530
> message is "Login incorrect" in (most ?) other ftp daemons.
Why not look for "Login incorrect" or something similar, then?
Please Cc me - the e-mail gateway doesn't seem to be in a good shape
right now.
--
Eric Marsden
teg> My interpretation is that the client is discouraged from trying
teg> the Kerberos authentication attempt again, but is free to try
teg> other things (like the ordinary user/password mechanism)
according to the state diagrams in RFC959, the only replies allowed
upon connection establishment are 120 then 220, 220, and 421. Your
scenario shows connection establishment leading to a 220, unsuccessful
out of band kerberos authentication, then a 530.
From the point of view of the FTP command connection this doesn't
conform to the state diagram, so it's unreasonable to expect an FTP
client to be able to handle it.
It seems to me that the ftpd could incorporate kerberos authentication
while staying RFC-compliant by sending a 230 (instead of 331) response
to the `USER' command if out of band authentication was successful.
teg> Why not look for "Login incorrect" or something similar, then?
"the text [associated with an FTP reply] may be server-dependent, so
there are likely to be varying texts for each reply code." (RFC959
section 4.2).
Trond Eivind Glomsrød
> according to the state diagrams in RFC959, the only replies allowed
> upon connection establishment are 120 then 220, 220, and 421. Your
> scenario shows connection establishment leading to a 220, unsuccessful
> out of band kerberos authentication, then a 530.
>
> >From the point of view of the FTP command connection this doesn't
> conform to the state diagram, so it's unreasonable to expect an FTP
> client to be able to handle it.
>
> It seems to me that the ftpd could incorporate kerberos authentication
> while staying RFC-compliant by sending a 230 (instead of 331) response
> to the `USER' command if out of band authentication was successful.
Here is what happens on another server (this is a paste from the emacs
buffer, this is a result of using ange-ftp):
ftp> open verden.pvv.ntnu.no
Connected to verden.pvv.ntnu.no.
220-
220- Welcome to the FTP archive at verden.pvv.ntnu.no, PVV's
220- mirror server and home of ftp.kerneli.org
220-
220- To access our public archive, please log in as "anonymous" with your
220- email address as password.
220-
220- Note: All anonymous access to this server is logged with your host name
220- and whatever you entered for the password. Disconnect now if you
220- don't like this policy!
220-
220- =======================================================================
220-
220 verden.pvv.ntnu.no FTP server (Version 6.00) ready.
user "teg" Turtle Power!
500 'AUTH GSSAPI': command not understood.
500 'AUTH KERBEROS_V4': command not understood.
KERBEROS_V4 rejected as an authentication type
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 331 Password required for teg.
230 User teg logged in.
ftp>
As you can see, ange-ftp is able to log me in. It won't give me any
files, though:
Opening FTP connection to verden.pvv.ntnu.no...
Opening FTP connection to verden.pvv.ntnu.no...done
Logging in as user t...@verden.pvv.ntnu.no...
FTP Error: USER request failed: 500 'AUTH GSSAPI': command not understood.
> "the text [associated with an FTP reply] may be server-dependent, so
> there are likely to be varying texts for each reply code." (RFC959
> section 4.2).
Sure. But how can this problem be solved? Having one program for use
with internal(kerberos) and external(user/passwd) sites makes sense.
Eric Marsden
proposed patch:
Kerberos-enabled FTP clients send special `AUTH' commands upon
connection establishment to request special authentication procedures.
These commands are specified by RFC2228, which notes that non
security-aware FTP servers should respond with a `500' (syntax error)
code as per RFC959.
ange-ftp has fairly limited error-recovery, and is confused by the
error codes sent by non security-aware FTP servers (which result from
commands which were sent "behind its back", and which don't conform to
the sequence diagrams in RFC959). However, given that security-aware
ftp clients are likely to become more popular, it would be useful for
ange-ftp to handle AUTH-related errors more gracefully.
Something like the following patch should work (I can't test it since
I don't have a kerberized ftp client). An alternative approach would
be to change `ange-ftp-smart-login' and `ange-ftp-normal-login' to
ignore 500 return codes.
--- /usr/share/emacs/20.3/lisp/ange-ftp.el Tue Aug 18 06:38:45 1998
+++ /tmp/ange-ftp.el Mon May 8 17:51:44 2000
@@ -669,11 +669,17 @@
;; mode and hangs. Have it ignore 550- instead. It will then barf
;; when it gets the 550 line, as it should.
+;; RFC2228 "FTP Security Extensions" defines extensions to the FTP
+;; protocol which involve the client requesting particular
+;; authentication methods (typically) at connection establishment. Non
+;; security-aware FTP servers should respond to this with a 500 code,
+;; which we ignore.
(defcustom ange-ftp-skip-msgs
(concat "^200 \\(PORT\\|Port\\) \\|^331 \\|^150 \\|^350 \\|^[0-9]+ bytes \\|"
"^Connected \\|^$\\|^Remote system\\|^Using\\|^ \\|Password:\\|"
"^Data connection \\|"
"^local:\\|^Trying\\|^125 \\|^550-\\|^221 .*oodbye\\|"
+ "^500 .*AUTH \\(KERBEROS\\|GSSAPI\\)\\|"
"^227 .*[Pp]assive")
"*Regular expression matching ftp messages that can be ignored."
:group 'ange-ftp
This patch should work with the ftpd you show at ntnu.no, but not with
that at redhat.com, since I believe that the latter is buggy.
Trond Eivind Glomsrød
> Something like the following patch should work (I can't test it since
> I don't have a kerberized ftp client).
Unfortunately, the given patch doesn't work. Neither does just
changing the angt-ftp-fatal-msgs to include lines starting with 500 -
I still get
FTP Error: USER request failed: KERBEROS_V4 rejected as an authentication type
(this is with the pvv.ntnu.no server, BTW)
--
Trond Eivind Glomsrød
Eric Marsden
teg> Unfortunately, the given patch doesn't work. Neither does just
teg> changing the angt-ftp-fatal-msgs to include lines starting with
teg> 500 - I still get
teg>
teg> FTP Error: USER request failed: KERBEROS_V4 rejected as an
teg> authentication type
sorry, I forgot that last error line. I have now installed the
kerberos client programs and the following seems to work, with non
security-aware FTP servers at least.
--- /usr/share/emacs/20.3/lisp/ange-ftp.el Tue Aug 18 06:38:45 1998
+++ /tmp/ange-ftp.el Mon May 8 21:15:52 2000
@@ -669,11 +669,17 @@
;; mode and hangs. Have it ignore 550- instead. It will then barf
;; when it gets the 550 line, as it should.
+;; RFC2228 "FTP Security Extensions" defines extensions to the FTP
+;; protocol which involve the client requesting particular
+;; authentication methods (typically) at connection establishment. Non
+;; security-aware FTP servers should respond to this with a 500 code,
+;; which we ignore.
(defcustom ange-ftp-skip-msgs
(concat "^200 \\(PORT\\|Port\\) \\|^331 \\|^150 \\|^350 \\|^[0-9]+ bytes \\|"
"^Connected \\|^$\\|^Remote system\\|^Using\\|^ \\|Password:\\|"
"^Data connection \\|"
"^local:\\|^Trying\\|^125 \\|^550-\\|^221 .*oodbye\\|"
+ "^500 .*AUTH \\(KERBEROS\\|GSSAPI\\)\\|^KERBEROS\\|"
"^227 .*[Pp]assive")
"*Regular expression matching ftp messages that can be ignored."
:group 'ange-ftp
Trond Eivind Glomsrød
> >>>>> "teg" == Trond Eivind Glomsrød <t...@pvv.ntnu.no> writes:
>
> teg> Unfortunately, the given patch doesn't work. Neither does just
> teg> changing the angt-ftp-fatal-msgs to include lines starting with
> teg> 500 - I still get
> teg>
> teg> FTP Error: USER request failed: KERBEROS_V4 rejected as an
> teg> authentication type
>
> sorry, I forgot that last error line. I have now installed the
> kerberos client programs and the following seems to work, with non
> security-aware FTP servers at least.
Yes. Thanks a lot. The wu-ftpd server will be patched - I'll already
talked to someone about fixing this.