-a so that the test may successfully be run by root without failing
(i.e. root is granted ftp access) and without opening the running
ftpd to a password attack (i.e. authorization is required).
Check for successful login messages added.
* v4gssftp.exp: Same changes.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13304
dc483132-0cff-0310-8789-
dd5450dbe970
+2001-06-08 Mitchell Berger <mitchb@mit.edu>
+
+ * gssftp.exp: Invocation of ftpd changed to use -U /dev/null and
+ -a so that the test may successfully be run by root without failing
+ (i.e. root is granted ftp access) and without opening the running
+ ftpd to a password attack (i.e. authorization is required).
+ Check for successful login messages added.
+
+ * v4gssftp.exp: Same changes.
+
2001-06-06 Ezra Peisach <epeisach@mit.edu>
* v4gssftp.exp: Allow for "decrypt integrity check failed" error
# don't need to use inetd. The 3021 is the port to listen at.
# We rely on KRB5_KTNAME being set to the proper keyfile as there is
# no way to cleanly set it with the gssapi API.
- spawn $FTPD -p 3021 -r $tmppwd/krb5.conf
+ # The -U argument tells it to use an alternate ftpusers file (using
+ # /dev/null will allow root to login regardless of /etc/ftpusers).
+ # The -a argument requires authorization, to mitigate any
+ # vulnerability introduced by circumventing ftpusers.
+ spawn $FTPD -p 3021 -a -U /dev/null -r $tmppwd/krb5.conf
set ftpd_spawn_id $spawn_id
set ftpd_pid [exp_pid]
proc ftp_test { } {
global FTP
global KEY
+ global REALMNAME
global hostname
global localhostname
global env
}
expect -nocase "name ($hostname:$env(USER)): "
send "$env(USER)\r"
-# expect "User $env(USER) logged in."
-# expect "Remote system type is UNIX."
-# expect "Using binary mode to transfer files."
+ expect "GSSAPI user $env(USER)@$REALMNAME is authorized as $env(USER)"
+ expect "Remote system type is UNIX."
+ expect "Using binary mode to transfer files."
expect "ftp> " {
pass $testname
}
# don't need to use inetd. The 3021 is the port to listen at.
# We rely on KRB5_KTNAME being set to the proper keyfile as there is
# no way to cleanly set it with the gssapi API.
- spawn $FTPD -p 3021 -r $tmppwd/krb.conf
+ # The -U argument tells it to use an alternate ftpusers file (using
+ # /dev/null will allow root to login regardless of /etc/ftpusers).
+ # The -a argument requires authorization, to mitigate any
+ # vulnerability introduced by circumventing ftpusers.
+ spawn $FTPD -p 3021 -a -U /dev/null -r $tmppwd/krb.conf
set ftpd_spawn_id $spawn_id
set ftpd_pid [exp_pid]
proc v4ftp_test { } {
global FTP
global KEY
+ global REALMNAME
global hostname
global localhostname
global env
}
expect -nocase "name ($hostname:$env(USER)): "
send "$env(USER)\r"
-# expect "User $env(USER) logged in."
-# expect "Remote system type is UNIX."
-# expect "Using binary mode to transfer files."
+ expect "Kerberos user $env(USER)@$REALMNAME is authorized as $env(USER)"
+ expect "Remote system type is UNIX."
+ expect "Using binary mode to transfer files."
expect "ftp> " {
pass $testname
}
projects / krb5.git / commitdiff