[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1_100-17-g00
|
From: |
Mats Erik Andersson |
|
Subject: |
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1_100-17-g00eb52f |
|
Date: |
Fri, 13 Dec 2013 11:52:09 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".
The branch, master has been updated
via 00eb52f9137d23c419859d7f99b0cbba080ad5e7 (commit)
from b8e8c6ebc54dc247aecca9563dddb16a1684e1e1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=00eb52f9137d23c419859d7f99b0cbba080ad5e7
commit 00eb52f9137d23c419859d7f99b0cbba080ad5e7
Author: Mats Erik Andersson <address@hidden>
Date: Fri Dec 13 12:04:09 2013 +0100
ftpd: Follow RFC 2577 by default.
With the aim of preventing user name enumeration,
the standard behaviour is changed to fake a password
exchange when a user name fails to exist.
diff --git a/ChangeLog b/ChangeLog
index 9409a21..dc56a94 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,32 @@
+2013-12-13 Mats Erik Andersson <address@hidden>
+
+ ftpd: Follow RFC 2577 by default.
+ Prevent user name guessing as standard, but offer
+ an option to keep the more informational responses.
+
+ * ftpd/extern.h (logged_in): Remove unused variable.
+ (rfc2577): New variable.
+ (struct credentials): New component DELAYED_REJECT.
+ * ftpd/ftpd.c (rfc2577): New variable.
+ (OPT_NONRFC2577): New enum value.
+ (options): New option `--non-rfc2577'.
+ (parse_opt) <case OPT_NONRFC2577>: Reset `rfc2577'.
+ (user): New variable RET. After auth_user(), display
+ messages in the old manner only if `rfc2577' is not set,
+ or if guest access is being requested. Otherwise, update
+ `cred.delayed_reject' for later access.
+ (end_login): Reset `pcred->delayed_reject'.
+ (pass): On returning from auth_pass(), check also
+ `cred.delayed_reject' to minimize the amount of user
+ information returned to the client.
+
+
+ ftpd: The standard protocol in RFC 959 demands
+ that a client be informed before closing down.
+
+ * ftpd/ftpd.c (pass) <repeated login failures>:
+ Send a reply message 421 before closing connection.
+
2013-12-10 Mats Erik Andersson <address@hidden>
inetd: Logging of resolution and binding errors.
diff --git a/NEWS b/NEWS
index 940d854..1367f58 100644
--- a/NEWS
+++ b/NEWS
@@ -102,6 +102,13 @@ user name. In addition, the parser is more forgiving
of spaces and tabs, thus achieving better portability
of these two files when compared with other systems.
+The server will by default not disclose that the requested
+user name is invalid, but will instead proceed with a faked
+password dialogue. This is in accordance with RFC 2577.
+The new option `--non-rfc2577' will now restore the legacy
+type responses, informing about non-existing users and also
+about expired accounts, or expired passwords.
+
* inetd
Service configuration now allows setting also the group.
diff --git a/doc/inetutils.texi b/doc/inetutils.texi
index fe5b016..f253c76 100644
--- a/doc/inetutils.texi
+++ b/doc/inetutils.texi
@@ -3641,6 +3641,16 @@ the retrieve (@code{get}), store (@code{put}), append,
delete, make
directory, remove directory and rename operations and their filename
arguments are also logged.
address@hidden --non-rfc2577
address@hidden --non-rfc2577
+Do not follow the suggestion of RFC 2577 to suppress messages
+that could help an attacker to conduct user name enumeration.
+This option allows the server to return with an error message
+immediately upon receipt of a user name.
+Such information includes non-existence claims and expiration claims.
+The ideal mode would otherwise be to fake the relevance of asking
+for a password, and only thereafter report an invalid login.
+
@item -p @var{pidfile}
@itemx address@hidden
@opindex -p
@@ -3774,6 +3784,10 @@ transfer status will be returned.
conventions used by @command{csh}. This allows users to utilize the
metacharacters @address@hidden@}~}.
+The server applies the suggestions in RFC 2577, but the legacy
+behaviour with informational content in denials can be restored
+using the option @option{--non-rfc2577}.
+
@section Authentication
@anchor{ftpd authentication}
diff --git a/ftpd/extern.h b/ftpd/extern.h
index f613d9a..95949b3 100644
--- a/ftpd/extern.h
+++ b/ftpd/extern.h
@@ -95,7 +95,6 @@ extern struct sockaddr_storage data_dest;
extern socklen_t data_dest_len;
extern struct sockaddr_storage his_addr;
extern socklen_t his_addrlen;
-extern int logged_in;
extern struct passwd *pw;
extern int guest;
extern int logging;
@@ -103,6 +102,7 @@ extern int no_version;
extern int type;
extern int form;
extern int debug;
+extern int rfc2577;
extern int timeout;
extern int maxtimeout;
extern int pdata;
@@ -141,6 +141,7 @@ struct credentials
int guest;
int dochroot;
int logged_in;
+ int delayed_reject;
#define AUTH_EXPIRED_NOT 0
#define AUTH_EXPIRED_ACCT 1
#define AUTH_EXPIRED_PASS 2
diff --git a/ftpd/ftpcmd.y b/ftpd/ftpcmd.y
index 9dcd06c..21818c1 100644
--- a/ftpd/ftpcmd.y
+++ b/ftpd/ftpcmd.y
@@ -53,6 +53,15 @@
* See RFC 959, RFC 1639, RFC 2389, RFC 2428,
* and RFC 3659 (MDTM, REST, SIZE).
*
+ * Security related details:
+ *
+ * PORT, EPRT, and LPRT are only allowed for
+ * target ports greater than IPPORT_RESERVED.
+ * In addition, the network address of the data
+ * connection must be identical to the address
+ * of the standing control connection. These
+ * have bearing on RFC 2577, sections 3 and 4.
+
* TODO: Update with RFC 3659 (MLST, MLSD).
*
* TODO: RFC 2428 (EPSV ALL).
diff --git a/ftpd/ftpd.c b/ftpd/ftpd.c
index 8e35b3e..5cf371f 100644
--- a/ftpd/ftpd.c
+++ b/ftpd/ftpd.c
@@ -132,6 +132,7 @@ int no_version; /* Don't print version
to client. */
int type = TYPE_A; /* Default TYPE_A. */
int form = FORM_N; /* Default FORM_N. */
int debug; /* Enable debug mode if 1. */
+int rfc2577 = 1; /* Follow suggestions in RFC 2577. */
int timeout = 900; /* Timeout after 15 minutes of inactivity. */
int maxtimeout = 7200; /* Don't allow idle time to be set
beyond 2 hours. */
@@ -260,6 +261,10 @@ const char doc[] =
"File Transfer Protocol daemon.";
#endif
+enum {
+ OPT_NONRFC2577 = CHAR_MAX + 1,
+};
+
static struct argp_option options[] = {
#define GRID 0
{ "anonymous-only", 'A', NULL, 0,
@@ -292,6 +297,9 @@ static struct argp_option options[] = {
{ "max-timeout", 'T', NULL, 0,
"reset maximum value of timeout allowed",
GRID+1 },
+ { "non-rfc2577", OPT_NONRFC2577, NULL, 0,
+ "neglect RFC 2577 by giving info on missing users",
+ GRID+1 },
{ "umask", 'u', "VAL", 0,
"set default umask",
GRID+1 },
@@ -416,6 +424,10 @@ parse_opt (int key, char *arg, struct argp_state *state)
break;
}
+ case OPT_NONRFC2577:
+ rfc2577 = 0;
+ break;
+
default:
return ARGP_ERR_UNKNOWN;
}
@@ -756,6 +768,8 @@ bad:
void
user (const char *name)
{
+ int ret;
+
if (cred.logged_in)
{
if (cred.guest || cred.dochroot)
@@ -767,7 +781,8 @@ user (const char *name)
}
/* Non zero means failed. */
- if (auth_user (name, &cred) != 0)
+ ret = auth_user (name, &cred);
+ if (!rfc2577 && ret != 0)
{
/* If they gave us a reason. */
if (cred.message)
@@ -783,6 +798,17 @@ user (const char *name)
cred.remotehost, name);
return;
}
+ else if (rfc2577 && ret != 0)
+ cred.delayed_reject = 1;
+ else
+ cred.delayed_reject = 0;
+
+ /* Only messages for anonymous guests are accepted. */
+ if (rfc2577 && !cred.guest && cred.message)
+ {
+ free (cred.message);
+ cred.message = NULL;
+ }
/* If the server is set to serve anonymous service only
the request have to come from a guest or a chrooted. */
@@ -864,6 +890,7 @@ end_login (struct credentials *pcred)
pcred->remotehost = remotehost;
pcred->auth_type = atype;
pcred->logged_in = 0;
+ pcred->delayed_reject = 0;
}
void
@@ -879,10 +906,19 @@ pass (const char *passwd)
if (!cred.guest) /* "ftp" is the only account allowed no
password. */
{
/* Try to authenticate the user. Failed if != 0. */
- if (auth_pass (passwd, &cred) != 0)
+ if (auth_pass (passwd, &cred) != 0 || cred.delayed_reject)
{
/* Any particular reason? */
- if (cred.message)
+ if (rfc2577)
+ {
+ if (cred.message)
+ {
+ free (cred.message);
+ cred.message = NULL;
+ }
+ reply (530, "Login incorrect.");
+ }
+ else if (cred.message)
{
reply (530, "%s", cred.message);
free (cred.message);
@@ -902,6 +938,8 @@ pass (const char *passwd)
{
syslog (LOG_NOTICE, "repeated login failures from %s",
cred.remotehost);
+ reply (421,
+ "Service not available, closing control connection.");
exit (EXIT_SUCCESS);
}
return;
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 29 +++++++++++++++++++++++++++++
NEWS | 7 +++++++
doc/inetutils.texi | 14 ++++++++++++++
ftpd/extern.h | 3 ++-
ftpd/ftpcmd.y | 9 +++++++++
ftpd/ftpd.c | 44 +++++++++++++++++++++++++++++++++++++++++---
6 files changed, 102 insertions(+), 4 deletions(-)
hooks/post-receive
--
GNU Inetutils
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU Inetutils branch, master, updated. inetutils-1_9_1_100-17-g00eb52f,
Mats Erik Andersson <=