ports/120187: Pure-FTPd doesn't support TLS authentication by default.

Filip Palian filip.palian at expro.pl
Thu Jan 31 14:40:03 UTC 2008 

>Number:         120187
>Category:       ports
>Synopsis:       Pure-FTPd doesn't support TLS authentication by default.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 31 14:40:03 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Filip Palian
>Release:        6.2-RELEASE-p7
>Organization:
Expro Sp. z o.o.
>Environment:
FreeBSD <hostname> 6.2-RELEASE-p7 FreeBSD 6.2-RELEASE-p7 #2: Sun Sep 16 00:33:25 UTC 2007 root@<hostname>:/usr/obj/usr/src/sys/<hostname> amd64
>Description:
Pure-FTPd version 1.0.21_1 was compiled from ports, with the following options passed to configure script:

--with-everything
--with-paranoidmsg
--with-virtualchroot
--with-tls             // Support for the secure authentication.
--with-largefile
--with-pgsql
--with-privsep
--without-banner
--with-sendfile


The pure-ftpd binary was run with the following configuration:

/usr/local/sbin/pure-ftpd -A -c50 -B -C8 -d -D -E -fftp -H -I15 -lpgsql:/usr/local/etc/pureftpd-pgsql.conf -L2000:8 -m4 -p49000:50000 -P<ext_IP> -s -U133:022 -u80 -i -g/var/run/pure-ftpd.pid -k99 -Z -Y1


I've noticed, that Pure-FTPd executed with both "-P" and "-Y" flags, doesn't work properly. It means, clients were not able to authenticate themselves using AUTH TLS. Pure-FTPd during feature negotation (FEAT) didn't include FEAT_TLS, so clients were using plain text authentication.


Feature negotation log without a fix:
---> FEAT
<--- 211-Extensions supported:
<---  EPRT
<---  IDLE
<---  MDTM
<---  SIZE
<---  REST STREAM
<---  MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
<---  MLSD
<---  TVFS
<---  ESTP
<---  PASV
<---  EPSV
<---  SPSV
<--- 211 End.
---> QUIT    // Using secure authentication was forced.


Feature negotation log with a fix:
---> FEAT
<--- 211-Extensions supported:
<---  EPRT
<---  IDLE
<---  MDTM
<---  SIZE
<---  REST STREAM
<---  MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
<---  MLSD
<---  TVFS
<---  ESTP
<---  PASV
<---  EPSV
<---  SPSV
<---  ESTA
<---  AUTH TLS
<---  PBSZ
<--- 211 End.
---> AUTH TLS
<--- 234 AUTH TLS OK.
>How-To-Repeat:
1) Compile Pure-FTPd with TLS support (--with-TLS)
2) Run pure-ftpd binary with "-P" and "-Y" flags.
3) Try to connect with Pure-FTPd daemon with AUTH TLS (debug mode).
>Fix:
Applay a patch included with this Problem Report.

Patch attached with submission follows:

--- src/ftpd.c      2006-02-21 14:14:49.000000000 +0100
+++ src/ftpd.c.new  2007-12-20 14:53:56.000000000 +0100
@@ -3439,14 +3439,14 @@ void dofeat(void)
 # define FEAT_UTF8 ""
 #endif
     
-    char feat[] = FEAT FEAT_DEBUG FEAT_TVFS FEAT_ESTP FEAT_PASV FEAT_ESTA FEAT_TLS FEAT_UTF8;
+    char feat[] = FEAT FEAT_DEBUG FEAT_TVFS FEAT_ESTP FEAT_TLS FEAT_PASV FEAT_ESTA FEAT_UTF8;
 
     if (disallow_passive != 0) {
         feat[sizeof FEAT FEAT_DEBUG FEAT_TVFS FEAT_ESTP] = 0;
     }
 #ifndef MINIMAL
     else if (STORAGE_FAMILY(force_passive_ip) != 0) {
-        feat[sizeof FEAT FEAT_DEBUG FEAT_TVFS FEAT_ESTP FEAT_PASV] = 0;
+        feat[sizeof FEAT FEAT_DEBUG FEAT_TVFS FEAT_ESTP FEAT_TLS FEAT_PASV] = 0;
     }
 #endif
     addreply_noformat(0, feat);


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list