Article delegate-en/4632 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]

Newsgroups: mail-lists.delegate-en

[DeleGate-En] Delegate 9.9.5: FTP: AUTHORIZER is not "transparent"
11 Nov 2009 17:36:05 GMT HD Sorgenia | Andrea `Zuse' Balestrero <pkyiqbdyi-uwzfqiwsbzxr.ml@ml.delegate.org>



Hi again.

I already asked you several questions, and your answers were helpful.
Now I have the last problem.
I mean: this one should be the last question, I shouldn't annoy
you any more, after...  :-)  

I'm configuring delegate v9.9.5 as reverse proxy for FTP / FTPS.
Let's speak about a simple case: simple FTP reverse proxy.
Example (in debug/foreground mode):

  linux-dg -v -P21 SERVER=ftp MOUNT="/* ftp://192.168.0.83/*" \
    RELIABLE="*" ADMIN="foo@bar"

Please note that a ftp server in running on 192.168.0.83,
no anonymous login allowed (only authenticated users may access).
Authentication is done on real ftp server (192.168.0.83).
This works fine.

But there is a problem: 
if I connect to delegate, I can login with any user/password
combination. I can insert random user and random password.
Delegate responds:
  230- User a logged in.
  230  Now you can select a FTP SERVER by cd //SERVER
At this point I cannot do anything, since real ftp server does
not allow me any further action. But I've entered delegate.
It's not a good (secure) thing.
Since this instance of delegate will be published on the
Internet, this behaviour facilitates external attacks like a
Denial-of-Service.

So, I read delegate manual, and I saw an "AUTHORIZER" directive.
I tried the following:

  linux-dg -v -P21 SERVER=ftp MOUNT="/* ftp://192.168.0.83/*" \
    RELIABLE="*" ADMIN="foo@bar" \
    AUTHORIZER=192.168.0.83:ftp

Now first step authentication works: delegate accepts users
with the right passwords, and denies access to the others.
Good.
But... FTP sessions do not work at all!!
Delegate authenticates users via ftp server 192.168.0.83,
but any further action (i.e.: a "dir" command in ftp session)
is refused. Ftp server 192.168.0.83 says "530 You aren't logged in".

What I understand is that authentication is not "remembered"
for the full ftp session, and user credentials are not passed
to the real server any more by delegate.
If I use "AUTHORIZER" directive in such way, all ftp sessions fail,
because real ftp server does not recognize the user.

Am I using such directive in a wrong way?
Is there a solution, to have a sort of "single sign-on" on delegate
and keep credentials for the real ftp session?
(Obviously, a solution where a user is asked to insert her/his
credentials twice is not applicable...)

Thank you in advance for your help.

--------------------------------------------------------
Andrea Balestrero
Mail: pkyiqbdyi-uwzfqiwsbzxr.ml@ml.delegate.org
Web: www.youus.it
YOUUS SRL - Via Cappuccini, 8 - 20122 Milano - Italy
--------------------------------------------------------
(for Sorgenia S.p.A.)




  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V