Article delegate-en/824 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A821@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: authentication for ftp proxy?
06 Jun 2000 09:16:38 GMT ysato@etl.go.jp (Yutaka Sato)


On 06/02/00(00:45) you Paul Reilly <pfybqbdyi-hugik5rc4bxr.ml@ml.delegate.org> wrote
in <Pine.OSF.4.10.10006011637180.10000-00000X@alf2.tcd.ie>
 |> be no natural way to do so based on FTP protocol, though I've thought
 |> several unnatural solutions...
 |>
 |How unnatural?

At least following five solutions are possible, but any one of
them does not seem natural from the client user's point of view.

1) disjoint repetition of USER and PASS
  S: 220 xxx FTP server ready.
  C: USER proxy-user
  S: 331 Password required for proxy-user.
  C: PASS proxy-pass
  S: 230 User proxy-user logged in.
  ...
  C: USER target-user@target-host
  S: 331 Password required for target-user.
  C: PASS target-pass
  S: 230 User target-user logged in.

  - some clients may recreate connection for new USER
  - target-login must be invoked manually by user
  + also applicable to DeleGate as a FTP origin-server

2) two contiguous sets of USER and PASS
  S: 220 xxx FTP server ready. You must login as a proxy-user first.
  C: USER proxy-user
  S: 331 Password required for proxy-user.
  C: PASS proxy-pass
  S: 530 Now do login for target server (this is not error)
  C: USER target-user@target-host
  S: 331 Password required for target-user.
  C: PASS target-pass
  S: 230 User target-user logged in.

  - some clients may reconnect on the first login error (530)
  
3) one set of combined USER and PASS
  S: 220 xxx FTP server ready. You must login as a proxy-user first.
  C: USER proxy-user//target-user@target-host
  S: 331 Password required for proxy-user//target-user@target-host
  C: PASS proxy-pass//target-pass
  S: 230 User proxy-user//target-user logged in.

  - unnatual from the client's point of view

4) proxy-USER//target-USER, proxy-PASS and "ACCT target-pass"
  S: 220 xxx FTP server ready.
  C: USER proxy-user//target-user@target-host
  S: 331 Password required for proxy-user
  C: PASS proxy-pass
  S: 332 Password required for target-user@target-host
  C: ACCT target-pass
  S: 230 User target-user logged in.

  - ACCT can be unsupported by some FTP client programs

5) proxy-USER, proxy-PASS and "CWD //target-user:target-pass@target-host"
  - target password is not hidden.
  + also applicable to DeleGate as a FTP origin-server

 |Would it be possible to do it using another protocol/telnet
 |say between the client and the delegate server, and then ftp from the
 |delegate server outwards?

It sounds the most unnatural :-)

Since AUTHORIZER for FTP-DeleGate has been necessary for DeleGate as
an origin FTP server, I made a tentative implementation of 1), and
4) as enclosed patch.  With the patch, I hope AUTHORIZER with
FTP-DeleGate works as you expected


% delegated -P8021 SERVER=ftp AUTHORIZER=localhost

1) USER/PASS REPETITION

 Name (localnews:ysato): ysato <<<<<<<<<<<<<<<<<<<<<<<<<<< proxy-USER
 331 [Proxy] Password required for ysato.
 Password: <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< proxy-PASS
 230-[Proxy] User ysato logged in.
 230 Now you can login a target FTP server with USER user@host
 ftp> user ftp@ftp.delegate.org <<<<<<<<<<<<<<<<<<<<<<<<<< target-USER
 331-- USER for ftp@ftp.delegate.org.
 ...
 331--  @ @  
 331  \( - )/ -- { connected to `ftp.delegate.org' }
 Password: <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< target-PASS
 230- Guest login ok, your E-mail address is <ysato@etl.go.jp>

4A) ACCT FOR NON-ANONYMOUS LOGIN

 Name (localnews:ysato): ysato//ysato@localnews <<<<<<<<<< proxy-USER//target
 331 [Proxy] Password required for ysato.
 Password: <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< proxy-PASS
 332 Password requird for target ysato@localnews..
 Account: <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< target-PASS
 220-- ACCT for ysato@localnews..
 220- localnews.etl.go.jp FTP server (Version 6.00) ready.
 331- Password required for ysato.
 230- User ysato logged in.
 220--  @ @  
 220  \( - )/ -- { connected to `localnews' }

4B) ACCT FOR ANONYMOUS LOGIN OMITTING target-user name

 Name (localnews:ysato): ysato//ftp.delegate.org
 331 [Proxy] Password required for ysato.
 Password:
 332 Password requird for target ftp@ftp.delegate.org.
 Accountt:
 220-- ACCT for ftp@ftp.delegate.org.
 ...
 230- Guest login ok, your E-mail address is <ysato@etlkbs.etl.go.jp>
 220--  @ @  
 220  \( - )/ -- { connected to `ftp.delegate.org' }
 ftp> 


Cheers,
Yutaka
--
Yutaka Sato <ysato@etl.go.jp> http://www.etl.go.jp/~ysato/   @ @ 
Computer Science Division, Electrotechnical Laboratory      ( - )
1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan            _<   >_


diff -c ../6112/src/ftp.c ./ftp.c
*** ../6112/src/ftp.c	Wed May 31 17:04:23 2000
--- ./ftp.c	Tue Jun  6 18:12:35 2000
***************
*** 1507,1512 ****
--- 1507,1516 ----
  	int csock;
  	FtpStat FSbuf, *FS = &FSbuf;
  	int timeout;
+ 	int proxyLoggedin;
+ 	FILE *xtc;
+ 	char pxuser[128],pxpass[128],pxuserpass[256],pxacct[128],pxhost[128];
+ 	char xhost[256];
  
  	PFS = FS;
  	init_FS(FS);
***************
*** 1549,1554 ****
--- 1553,1566 ----
  
  	FS->fs_myport = ClientIF_name(Conn,FromC,FS->fs_myhost);
  
+ 	xtc = TMPFILE("proxy-auth");
+ 	if( doAUTH(Conn,NULL,xtc,"ftp","-",0,
+ 	"user-xxxx:pass-xxxx","host-xxxx",NULL,NULL) == EOF ){
+ 		pxuser[0] = pxpass[0] = pxacct[0] = pxhost[0] = 0;
+ 		chost = 0;
+ 		proxyLoggedin = 0;
+ 	}else	proxyLoggedin = -1;
+ 
  	for(;;){
  		FS->fs_islocal = islocal;
  
***************
*** 1580,1585 ****
--- 1592,1649 ----
  
  		dp = wordScan(req,com);
  		lineScan(dp,arg);
+ 
+ 		if( proxyLoggedin == 0 )
+ 		if( strcaseeq(com,"USER") || strcaseeq(com,"PASS") ){
+ 			if( strcaseeq(com,"USER") ){
+ 				lineScan(arg,pxuser);
+ 				if( dp = strstr(pxuser,"//") ){
+ 					*dp = 0;
+ 					strcpy(FS->fs_USER,dp+2);
+ 					if( dp = strchr(FS->fs_USER,'@') ){
+ 						*dp = 0;
+ 						wordScan(dp+1,xhost);
+ 					}else{
+ 						wordScan(FS->fs_USER,xhost);
+ 						strcpy(FS->fs_USER,"ftp");
+ 					}
+ 					chost = xhost;
+ 					wordScan(FS->fs_USER,cuser);
+ 				}
+ 			}else
+ 			if( strcaseeq(com,"PASS") )
+ 				lineScan(arg,pxpass);
+ 			else	lineScan(arg,pxacct);
+ 
+ 			sprintf(pxuserpass,"%s:%s",pxuser,pxpass);
+ 			if( doAUTH(Conn,NULL,xtc,"ftp","-",0/*21*/,
+ 				pxuserpass,pxhost,NULL,NULL) == EOF ){
+ 				if( strcaseeq(com,"USER") ){
+ fprintf(tc,"331 [Proxy] Password required for %s.\r\n",pxuser);
+ 				}else{
+ 					sv1log("login ERROR (%s)\n",pxuser);
+ fprintf(tc,"530 [Proxy] Login failed.\r\n");
+ 				}
+ 			}else{
+ FS->fs_anonymousOK = 1; /* temporary */
+ 				proxyLoggedin = 1;
+ 				sv1log("proxy-login OK (%s)\n",pxuser);
+ 				if( chost ){
+ fprintf(tc,"332 Password requird for target %s@%s.\r\n",cuser,chost);
+ 				}else{
+ fprintf(tc,"230-[Proxy] User %s logged in.\r\n",pxuser);
+ fprintf(tc,"230 Now you can login a target FTP server with USER user@host\r\n");
+ /* should do chdir(HOMEofUSER) */
+ 				}
+ 			}
+ 			continue;
+ 		}
+ 		if( 0 < proxyLoggedin && chost && strcaseeq(com,"ACCT") ){
+ 			strcpy(cpass,arg);
+ 			change_server(Conn,FS,tc,com,chost,cuser,cpass,
+ 				FS->fs_TYPE);
+ 			continue;
+ 		}
  
  		if( strcaseeq(com,"USER") ){
  			if( unescape_user_at_host(arg) )
diff -c ../6112/src/access.c ./access.c
*** ../6112/src/access.c	Mon May 29 12:50:27 2000
--- ./access.c	Tue Jun  6 16:08:28 2000
***************
*** 701,708 ****
  	int aport;
  	char clhost[256];
  	char *iuser;
  
- 	*user = *host = *pass = 0;
  	getpeerNAME(FromC,clhost);
  
  	if( wordIsinList(authserv,I_IDENT) )
--- 701,714 ----
  	int aport;
  	char clhost[256];
  	char *iuser;
+ 	char userb[256];
+ 
+ 	if( strchr(user,':') ){
+ 		userb[0] = pass[0] = 0;
+ 		sscanf(user,"%[^:]:%[^\r\n]",userb,pass);
+ 		user = userb;
+ 	}else	pass[0] = 0;
  
  	getpeerNAME(FromC,clhost);
  
  	if( wordIsinList(authserv,I_IDENT) )
***************
*** 712,717 ****
--- 718,724 ----
  		strcpy(phost,host);
  		goto EXIT;
  	}
+ if( fc != NULL ){
  	if( strcmp(authserv,"&") == 0 )
  	fprintf(tc,">>>>>>>> login with your account at <%s>\r\n",clhost);
  
***************
*** 722,727 ****
--- 729,735 ----
  		return 0;
  
  	sscanf(userhost,"%[^@]@%s",user,host);
+ }
  	strcpy(phost,"******");
  
  	if( host[0] ){
***************
*** 764,774 ****
--- 772,784 ----
  	}
  */
  
+ if( fc != NULL ){
  	fprintf(tc,">>>>>>>> Password: ");
  	ci = (*func)(0,fc,tc,pass,arg);
  	if( ci == EOF )
  		return 0;
  	fflush(tc);
+ }
  
  	if( Authenticate(Conn,host,user,pass,"/") < 0 ){
  		if( user[0] || pass[0] )
***************
*** 812,818 ****
  	int identonly;
  	int authorized;
  
- 	*auser = *ahost = 0;
  /*
  	if( ClientAuthUser[0] != 0 )
  	if( source_permitted(Conn) )
--- 822,827 ----
***************
*** 843,848 ****
--- 852,859 ----
  		if( Identify(Conn,identonly,fc,tc,authserv,auser,ahost,phost,func,arg) )
  			break;
  		if( auser[0] == 0 )
+ 			return EOF;
+ 		if( fc == NULL )
  			return EOF;
  	}
  

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V