Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > e16d0c94ff2c9e93ba4eea60f7b68478 > files > 94

krb5-1.6.1-70.el5_9.2.src.rpm

Make ftpd's behavior for multi-homed hosts line up with that of telnetd,
rshd, and rlogind, which don't reject authentication requests that don't
match the local system's hostname as returned by gethostname().  Pulled
from SVN, with some tweaking to apply to 1.6.1.

Index: krb5/src/appl/gssftp/ftpd/ftpd.c
===================================================================
--- krb5/src/appl/gssftp/ftpd/ftpd.c
+++ krb5/src/appl/gssftp/ftpd/ftpd.c	(revision 3276)
@@ -149,7 +149,6 @@ static char *krb4_services[] = { "ftp", 
 #include <gssapi/gssapi_krb5.h>
 gss_ctx_id_t gcontext;
 gss_buffer_desc client_name;
-static char *gss_services[] = { "ftp", "host", NULL };
 
 #include <krb5.h>
 krb5_context kcontext;
@@ -2438,25 +2437,18 @@ char *adata;
 	if (strcmp(temp_auth_type, "GSSAPI") == 0) {
 		int replied = 0;
 		int found = 0;
-		gss_cred_id_t server_creds, deleg_creds;
+		gss_cred_id_t deleg_creds;
 		gss_name_t client;
 		OM_uint32 ret_flags;
 		int rad_len;
-		gss_buffer_desc name_buf;
-		gss_name_t server_name;
-		OM_uint32 acquire_maj, acquire_min, accept_maj, accept_min,
+		OM_uint32 accept_maj, accept_min,
 				stat_maj, stat_min;
 		gss_OID mechid;
 		gss_buffer_desc tok, out_tok;
 		char gbuf[FTP_BUFSIZ];
 		u_char gout_buf[FTP_BUFSIZ];
 		char localname[MAXHOSTNAMELEN];
-		char service_name[MAXHOSTNAMELEN+10];
-		char **gservice;
 		struct hostent *hp;
-		stat_maj = 0;
-		accept_maj = 0;
-		acquire_maj = 0;
 
 		kerror = radix_encode(adata, gout_buf, &length, 1);
 		if (kerror) {
@@ -2482,71 +2474,25 @@ char *adata;
 		strncpy(localname, hp->h_name, sizeof(localname) - 1);
 		localname[sizeof(localname) - 1] = '\0';
 
-		for (gservice = gss_services; *gservice; gservice++) {
-			sprintf(service_name, "%s@%s", *gservice, localname);
-			name_buf.value = service_name;
-			name_buf.length = strlen(name_buf.value) + 1;
-			if (debug)
-				syslog(LOG_INFO, "importing <%s>", service_name);
-			stat_maj = gss_import_name(&stat_min, &name_buf, 
-						   gss_nt_service_name,
-						   &server_name);
-			if (stat_maj != GSS_S_COMPLETE) {
-				reply_gss_error(501, stat_maj, stat_min,
-						"importing name");
-				syslog(LOG_ERR, "gssapi error importing name");
-				return 0;
-			}
-			
-			acquire_maj = gss_acquire_cred(&acquire_min, server_name, 0,
-						       GSS_C_NULL_OID_SET, GSS_C_ACCEPT,
-						       &server_creds, NULL, NULL);
-			(void) gss_release_name(&stat_min, &server_name);
-
-			if (acquire_maj != GSS_S_COMPLETE)
-				continue;
-
-			found++;
-
-			gcontext = GSS_C_NO_CONTEXT;
-
-			accept_maj = gss_accept_sec_context(&accept_min,
-							    &gcontext, /* context_handle */
-							    server_creds, /* verifier_cred_handle */
-							    &tok, /* input_token */
-							    GSS_C_NO_CHANNEL_BINDINGS, /* channel bindings */
-							    &client, /* src_name */
-							    &mechid, /* mech_type */
-							    &out_tok, /* output_token */
-							    &ret_flags,
-							    NULL, 	/* ignore time_rec */
-							    &deleg_creds  /* forwarded credentials */
-							    );
-			if (accept_maj==GSS_S_COMPLETE||accept_maj==GSS_S_CONTINUE_NEEDED)
-				break;
-		}
-
-		if (found) {
-			if (accept_maj!=GSS_S_COMPLETE && accept_maj!=GSS_S_CONTINUE_NEEDED) {
-				reply_gss_error(535, accept_maj, accept_min,
-						"accepting context");
-				syslog(LOG_ERR, "failed accepting context");
-				(void) gss_release_cred(&stat_min, &server_creds);
-				if (ret_flags & GSS_C_DELEG_FLAG)
-					(void) gss_release_cred(&stat_min,
-								&deleg_creds);
-				return 0;
-			}
-		} else {
-			/* Kludge to make sure the right error gets reported, so we don't *
-			 * get those nasty "error: no error" messages.			  */
-			if(stat_maj != GSS_S_COMPLETE)
-			        reply_gss_error(501, stat_maj, stat_min,
-						"acquiring credentials");
-			else
-			        reply_gss_error(501, acquire_maj, acquire_min,
-						"acquiring credentials");
-			syslog(LOG_ERR, "gssapi error acquiring credentials");
+		accept_maj = gss_accept_sec_context(&accept_min,
+						    &gcontext, /* context_handle */
+						    GSS_C_NO_CREDENTIAL, /* verifier_cred_handle */
+						    &tok, /* input_token */
+						    GSS_C_NO_CHANNEL_BINDINGS, /* channel bindings */
+						    &client, /* src_name */
+						    &mechid, /* mech_type */
+						    &out_tok, /* output_token */
+						    &ret_flags,
+						    NULL, 	/* ignore time_rec */
+						    &deleg_creds  /* forwarded credentials */
+						    );
+
+		if (accept_maj!=GSS_S_COMPLETE && accept_maj!=GSS_S_CONTINUE_NEEDED) {
+			reply_gss_error(535, accept_maj, accept_min, "accepting context");
+			syslog(LOG_ERR, "failed accepting context");
+			if (ret_flags & GSS_C_DELEG_FLAG)
+				(void) gss_release_cred(&accept_min,
+							&deleg_creds);
 			return 0;
 		}
 
@@ -2555,7 +2501,6 @@ char *adata;
 					       / 4 * 3)) {
 				secure_error("ADAT: reply too long");
 				syslog(LOG_ERR, "ADAT: reply too long");
-				(void) gss_release_cred(&stat_min, &server_creds);
 				if (ret_flags & GSS_C_DELEG_FLAG)
 					(void) gss_release_cred(&stat_min,
 								&deleg_creds);
@@ -2570,7 +2515,6 @@ char *adata;
 				secure_error("Couldn't encode ADAT reply (%s)",
 					     radix_error(kerror));
 				syslog(LOG_ERR, "couldn't encode ADAT reply");
-				(void) gss_release_cred(&stat_min, &server_creds);
 				if (ret_flags & GSS_C_DELEG_FLAG)
 					(void) gss_release_cred(&stat_min,
 								&deleg_creds);
@@ -2599,7 +2543,6 @@ char *adata;
 						"extracting GSSAPI identity name");
 				log_gss_error(LOG_ERR, stat_maj, stat_min,
 					      "gssapi error extracting identity");
-				(void) gss_release_cred(&stat_min, &server_creds);
 				if (ret_flags & GSS_C_DELEG_FLAG)
 					(void) gss_release_cred(&stat_min,
 								&deleg_creds);
@@ -2608,7 +2551,6 @@ char *adata;
 			auth_type = temp_auth_type;
 			temp_auth_type = NULL;
 
-			(void) gss_release_cred(&stat_min, &server_creds);
 			if (ret_flags & GSS_C_DELEG_FLAG) {
 			  if (want_creds)
 			    ftpd_gss_convert_creds(client_name.value,
@@ -2629,24 +2571,12 @@ char *adata;
 			  }
 				
 			return(1);
-		} else if (accept_maj == GSS_S_CONTINUE_NEEDED) {
+		} else {
 			/* If the server accepts the security data, and
 			   requires additional data, it should respond with
 			   reply code 335. */
 			if (!replied)
 			    reply(335, "more data needed");
-			(void) gss_release_cred(&stat_min, &server_creds);
-			if (ret_flags & GSS_C_DELEG_FLAG)
-			  (void) gss_release_cred(&stat_min, &deleg_creds);
-			return(0);
-		} else {
-			/* "If the server rejects the security data (if 
-			   a checksum fails, for instance), it should 
-			   respond with reply code 535." */
-			reply_gss_error(535, stat_maj, stat_min, 
-					"GSSAPI failed processing ADAT");
-			syslog(LOG_ERR, "GSSAPI failed processing ADAT");
-			(void) gss_release_cred(&stat_min, &server_creds);
 			if (ret_flags & GSS_C_DELEG_FLAG)
 			  (void) gss_release_cred(&stat_min, &deleg_creds);
 			return(0);

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional