Date: Thu, 31 Jan 2008 14:38:07 GMT From: Filip Palian <filip.palian@expro.pl> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/120187: Pure-FTPd doesn't support TLS authentication by default. Message-ID: <200801311438.m0VEc72p074955@www.freebsd.org> Resent-Message-ID: <200801311440.m0VEe3UP082734@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 120187
>Category: ports
>Synopsis: Pure-FTPd doesn't support TLS authentication by default.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jan 31 14:40:03 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Filip Palian
>Release: 6.2-RELEASE-p7
>Organization:
Expro Sp. z o.o.
>Environment:
FreeBSD <hostname> 6.2-RELEASE-p7 FreeBSD 6.2-RELEASE-p7 #2: Sun Sep 16 00:33:25 UTC 2007 root@<hostname>:/usr/obj/usr/src/sys/<hostname> amd64
>Description:
Pure-FTPd version 1.0.21_1 was compiled from ports, with the following options passed to configure script:
--with-everything
--with-paranoidmsg
--with-virtualchroot
--with-tls // Support for the secure authentication.
--with-largefile
--with-pgsql
--with-privsep
--without-banner
--with-sendfile
The pure-ftpd binary was run with the following configuration:
/usr/local/sbin/pure-ftpd -A -c50 -B -C8 -d -D -E -fftp -H -I15 -lpgsql:/usr/local/etc/pureftpd-pgsql.conf -L2000:8 -m4 -p49000:50000 -P<ext_IP> -s -U133:022 -u80 -i -g/var/run/pure-ftpd.pid -k99 -Z -Y1
I've noticed, that Pure-FTPd executed with both "-P" and "-Y" flags, doesn't work properly. It means, clients were not able to authenticate themselves using AUTH TLS. Pure-FTPd during feature negotation (FEAT) didn't include FEAT_TLS, so clients were using plain text authentication.
Feature negotation log without a fix:
---> FEAT
<--- 211-Extensions supported:
<--- EPRT
<--- IDLE
<--- MDTM
<--- SIZE
<--- REST STREAM
<--- MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
<--- MLSD
<--- TVFS
<--- ESTP
<--- PASV
<--- EPSV
<--- SPSV
<--- 211 End.
---> QUIT // Using secure authentication was forced.
Feature negotation log with a fix:
---> FEAT
<--- 211-Extensions supported:
<--- EPRT
<--- IDLE
<--- MDTM
<--- SIZE
<--- REST STREAM
<--- MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
<--- MLSD
<--- TVFS
<--- ESTP
<--- PASV
<--- EPSV
<--- SPSV
<--- ESTA
<--- AUTH TLS
<--- PBSZ
<--- 211 End.
---> AUTH TLS
<--- 234 AUTH TLS OK.
>How-To-Repeat:
1) Compile Pure-FTPd with TLS support (--with-TLS)
2) Run pure-ftpd binary with "-P" and "-Y" flags.
3) Try to connect with Pure-FTPd daemon with AUTH TLS (debug mode).
>Fix:
Applay a patch included with this Problem Report.
Patch attached with submission follows:
--- src/ftpd.c 2006-02-21 14:14:49.000000000 +0100
+++ src/ftpd.c.new 2007-12-20 14:53:56.000000000 +0100
@@ -3439,14 +3439,14 @@ void dofeat(void)
# define FEAT_UTF8 ""
#endif
- char feat[] = FEAT FEAT_DEBUG FEAT_TVFS FEAT_ESTP FEAT_PASV FEAT_ESTA FEAT_TLS FEAT_UTF8;
+ char feat[] = FEAT FEAT_DEBUG FEAT_TVFS FEAT_ESTP FEAT_TLS FEAT_PASV FEAT_ESTA FEAT_UTF8;
if (disallow_passive != 0) {
feat[sizeof FEAT FEAT_DEBUG FEAT_TVFS FEAT_ESTP] = 0;
}
#ifndef MINIMAL
else if (STORAGE_FAMILY(force_passive_ip) != 0) {
- feat[sizeof FEAT FEAT_DEBUG FEAT_TVFS FEAT_ESTP FEAT_PASV] = 0;
+ feat[sizeof FEAT FEAT_DEBUG FEAT_TVFS FEAT_ESTP FEAT_TLS FEAT_PASV] = 0;
}
#endif
addreply_noformat(0, feat);
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200801311438.m0VEc72p074955>