From nobody@FreeBSD.ORG  Mon Jul 31 22:38:01 2000
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 5552637B59B; Mon, 31 Jul 2000 22:38:01 -0700 (PDT)
Message-Id: <20000801053801.5552637B59B@hub.freebsd.org>
Date: Mon, 31 Jul 2000 22:38:01 -0700 (PDT)
From: pscott@the-frontier.org
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@FreeBSD.org
Subject: ftp login fails on unix password when s/key active but not required
X-Send-Pr-Version: www-1.0

>Number:         20333
>Category:       kern
>Synopsis:       [libpam] ftp login fails on unix password when s/key active but not required
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    des
>State:          suspended
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 31 22:40:00 PDT 2000
>Closed-Date:    
>Last-Modified:  Wed Sep 01 03:08:46 GMT 2004
>Originator:     Paul A. Scott
>Release:        FreeBSD 4.0-RELEASE i386
>Organization:
>Environment:
FreeBSD mail 4.0-RELEASE FreeBSD 4.0-RELEASE #0: Sun Jun  4 00:17:00 GMT 2000     root@ns1:/usr/src/sys/compile/MIKETODD
>Description:
If a userid has an s/key, but s/key is not required for login, ftp should allow a unix password, but it does not; only the s/key password works. This problem does not happen with telnet. telnet allows unix password, ftp does not. Problem first noticed on 4.0 release; another machine running 2.2.8 has no problems with s/key on either ftp or telnet.
>How-To-Repeat:
Enable s/key for a userid dummy.

Set up /etc/skey.access to allow unix passwords from intranet 192.168.168.0 for dummy but not from another network.

permit internet 192.168.168.0 255.255.255.0

deny user dummy
deny user root
permit

From another machine on the 192.168.168.0 network, start an ftp client to the FreeBSD machine with an interface on the same network.

Log in as userid dummy.

The ftp server issues an s/key challenge BUT DOES NOT REQUIRE an skey, so a unix password should be accepted.

Type in dummy's unix password. The ftp server barfs, saying login incorrect. That shouldn't happen. Type in dummy's correct s/key. Dummy gets logged in.

Try telnet between the same two machines. No problem using a unix password.
>Fix:


>Release-Note:
>Audit-Trail:

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: pscott@the-frontier.org
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/20333: ftp login fails on unix password when s/key active but not required 
Date: Tue, 01 Aug 2000 15:21:51 +0200

 On Mon, 31 Jul 2000 22:38:01 MST, pscott@the-frontier.org wrote:
 
 > If a userid has an s/key, but s/key is not required for login, ftp
 > should allow a unix password, but it does not; only the s/key password
 > works.
 
 You are correct.
 
 However, this appears to be the result of two problems.  Firstly, ftpd
 relies on libpam, for which the pam_skey module doesn't appear to handle
 the return value of skeyaccess(3) correctly.  And secondly, ftpd.c
 itself appears to make the same mistake.
 
 The first problem isn't trivial for me to fix.  The second is. :-)
 
 The following patch to ftpd.c fixes this for the NOPAM case, but there's
 still breakage in the libpam skey module.
 
 You should be able to apply this patch to ftpd.c and then build ftpd
 with
 
 	cd /usr/src/libexec/ftpd
 	make -DNOPAM
 	make install clean
 
 Ciao,
 Sheldon.
 
 PS: I run a pretty heavily modified ftpd, so you may need to apply the
     patch by hand.  Certainly, the line numbers for the hunk are bogus.
 
 Index: ftpd.c
 ===================================================================
 RCS file: /home/ncvs/src/libexec/ftpd/ftpd.c,v
 retrieving revision 1.64
 diff -u -d -r1.64 ftpd.c
 --- ftpd.c	2000/06/26 05:36:09	1.64
 +++ ftpd.c	2000/08/01 12:54:47
 @@ -1187,12 +1209,13 @@
  		if (rval >= 0)
  			goto skip;
  #endif
 +		rval = strcmp(pw->pw_passwd, crypt(passwd, pw->pw_passwd));
  #ifdef SKEY
 -		rval = strcmp(skey_crypt(passwd, pw->pw_passwd, pw, pwok),
 -			      pw->pw_passwd);
 -		pwok = 0;
 -#else
 -		rval = strcmp(crypt(passwd, pw->pw_passwd), pw->pw_passwd);
 +		if (rval) {
 +			rval = strcmp(pw->pw_passwd,
 +			    skey_crypt(passwd, pw->pw_passwd, pw, pwok));
 +			pwok = 0;
 +		}
  #endif
  		/* The strcmp does not catch null passwords! */
  		if (*pw->pw_passwd == '\0' ||
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: pscott@the-frontier.org
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/20333: ftp login fails on unix password when s/key active but not required 
Date: Tue, 01 Aug 2000 15:53:21 +0200

 On Tue, 01 Aug 2000 15:21:51 +0200, Sheldon Hearn wrote:
 
 > The following patch to ftpd.c fixes this for the NOPAM case, but there's
 > still breakage in the libpam skey module.
 
 Please use the following patch instead.
 
 Ciao,
 Sheldon.
 
 Index: ftpd.c
 ===================================================================
 RCS file: /home/ncvs/src/libexec/ftpd/ftpd.c,v
 retrieving revision 1.64
 diff -u -d -r1.64 ftpd.c
 --- ftpd.c	2000/06/26 05:36:09	1.64
 +++ ftpd.c	2000/08/01 13:49:08
 @@ -1188,9 +1210,12 @@
  			goto skip;
  #endif
  #ifdef SKEY
 -		rval = strcmp(skey_crypt(passwd, pw->pw_passwd, pw, pwok),
 -			      pw->pw_passwd);
 -		pwok = 0;
 +		if (pwok)
 +			rval = strcmp(pw->pw_passwd,
 +			    crypt(passwd, pw->pw_passwd));
 +		if (rval)
 +			rval = strcmp(pw->pw_passwd,
 +			    skey_crypt(passwd, pw->pw_passwd, pw, pwok));
  #else
  		rval = strcmp(crypt(passwd, pw->pw_passwd), pw->pw_passwd);
  #endif
 @@ -1220,6 +1245,9 @@
  			return;
  		}
  	}
 +#ifdef SKEY
 +	pwok = 0;
 +#endif
  	login_attempts = 0;		/* this time successful */
  	if (setegid((gid_t)pw->pw_gid) < 0) {
  		reply(550, "Can't set gid.");
 

From: "Paul A. Scott" <pscott@the-frontier.org>
To: <freebsd-gnats-submit@FreeBSD.org>,
	"Paul A. Scott" <pscott@the-frontier.org>
Cc:  
Subject: Re: misc/20333: ftp login fails on unix password when s/key active but not required
Date: Tue, 1 Aug 2000 19:35:40 -0700

 Patch applied; problem solved.
 
 Paul A. Scott
 mailto:pscott@the-frontier.org
 http://www.the-frontier.org/pscott/
 

From: Sheldon Hearn <sheldonh@uunet.co.za>
To: freebsd-gnats-submit@FreeBSD.org
Cc: "Paul A. Scott" <pscott@the-frontier.org>
Subject: Re: misc/20333: ftp login fails on unix password when s/key active but not required 
Date: Wed, 02 Aug 2000 10:14:44 +0200

 On Tue, 01 Aug 2000 19:40:02 MST, "Paul A. Scott" wrote:
 
 >  Patch applied; problem solved.
 
 Just a note to avid PR closers: this PR is not fully addressed.  We've
 fixed ftpd in HEAD only, and only for the NOPAM case.
 
 We still need to fix libpam for S/Key by teaching it to honour
 skeyaccess(3).  Once that's done and the changes are merged onto the
 RELENG_4 branch, we can close this PR.
 
 Ciao,
 Sheldon.
 
Responsible-Changed-From-To: freebsd-bugs->sheldonh 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Mon Aug 7 02:52:05 PDT 2000 
Responsible-Changed-Why:  
I'll try to tackle this one when I've read the Linux PAM 
docs.  If anyone else wants to take it before I get to it, 
please feel free. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20333 
Responsible-Changed-From-To: sheldonh->freebsd-bugs 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Tue Nov 27 10:42:07 PST 2001 
Responsible-Changed-Why:  
I did what I could.  Time for someone else to tackle this.  Actually, 
markm might be pursuaded to take a look. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=20333 
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: johan 
Responsible-Changed-When: Thu Aug 22 18:19:18 PDT 2002 
Responsible-Changed-Why:  
Over to PAM maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20333 
State-Changed-From-To: open->suspended 
State-Changed-By: des 
State-Changed-When: Thu Jun 5 23:51:38 PDT 2003 
State-Changed-Why:  
Still not fixed. My recommendation is to use OPIE instead. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20333 

From: "Paul A. Scott" <pscott@skycoast.us>
To: <freebsd-gnats-submit@freebsd.org>
Cc:  
Subject: Re: misc/20333: ftp login fails on unix password when s/key
	active but not required
Date: Fri, 06 Jun 2003 00:22:51 -0700

 Sorry, but OPIE doesn't seem like an acceptable solution because it replaces
 the standard system daemons that depend on it. That just ain't right!
 
 I don't even use this anymore, but it really bugs me that it's *still* a
 problem. Is it *still* a problem in 4.x? 5.0? If so, then I'll make the time
 to have a look at the PAM code. Anyone know what the true status of this is
 before I embark on this adventure?
 
 -- 
 Paul A. Scott
 mailto:pscott@skycoast.us
 http://skycoast.us/pscott/
 
>Unformatted:
