From 05bbcaf269b2b5d602e810f1250b25bae403f278 Mon Sep 17 00:00:00 2001 From: Mitchell Berger Date: Fri, 8 Jun 2001 04:23:45 +0000 Subject: [PATCH] * gssftp.exp: Invocation of ftpd changed to use -U /dev/null and -a so that the test may successfully be run by root without failing (i.e. root is granted ftp access) and without opening the running ftpd to a password attack (i.e. authorization is required). Check for successful login messages added. * v4gssftp.exp: Same changes. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13304 dc483132-0cff-0310-8789-dd5450dbe970 --- src/tests/dejagnu/krb-standalone/ChangeLog | 10 ++++++++++ src/tests/dejagnu/krb-standalone/gssftp.exp | 13 +++++++++---- src/tests/dejagnu/krb-standalone/v4gssftp.exp | 13 +++++++++---- 3 files changed, 28 insertions(+), 8 deletions(-) diff --git a/src/tests/dejagnu/krb-standalone/ChangeLog b/src/tests/dejagnu/krb-standalone/ChangeLog index 8021b4e9e..f8ea5751d 100644 --- a/src/tests/dejagnu/krb-standalone/ChangeLog +++ b/src/tests/dejagnu/krb-standalone/ChangeLog @@ -1,3 +1,13 @@ +2001-06-08 Mitchell Berger + + * gssftp.exp: Invocation of ftpd changed to use -U /dev/null and + -a so that the test may successfully be run by root without failing + (i.e. root is granted ftp access) and without opening the running + ftpd to a password attack (i.e. authorization is required). + Check for successful login messages added. + + * v4gssftp.exp: Same changes. + 2001-06-06 Ezra Peisach * v4gssftp.exp: Allow for "decrypt integrity check failed" error diff --git a/src/tests/dejagnu/krb-standalone/gssftp.exp b/src/tests/dejagnu/krb-standalone/gssftp.exp index 2dea3a508..cd9e731fd 100644 --- a/src/tests/dejagnu/krb-standalone/gssftp.exp +++ b/src/tests/dejagnu/krb-standalone/gssftp.exp @@ -41,7 +41,11 @@ proc start_ftp_daemon { } { # don't need to use inetd. The 3021 is the port to listen at. # We rely on KRB5_KTNAME being set to the proper keyfile as there is # no way to cleanly set it with the gssapi API. - spawn $FTPD -p 3021 -r $tmppwd/krb5.conf + # The -U argument tells it to use an alternate ftpusers file (using + # /dev/null will allow root to login regardless of /etc/ftpusers). + # The -a argument requires authorization, to mitigate any + # vulnerability introduced by circumventing ftpusers. + spawn $FTPD -p 3021 -a -U /dev/null -r $tmppwd/krb5.conf set ftpd_spawn_id $spawn_id set ftpd_pid [exp_pid] @@ -123,6 +127,7 @@ proc ftp_restore_env { } { proc ftp_test { } { global FTP global KEY + global REALMNAME global hostname global localhostname global env @@ -185,9 +190,9 @@ proc ftp_test { } { } expect -nocase "name ($hostname:$env(USER)): " send "$env(USER)\r" -# expect "User $env(USER) logged in." -# expect "Remote system type is UNIX." -# expect "Using binary mode to transfer files." + expect "GSSAPI user $env(USER)@$REALMNAME is authorized as $env(USER)" + expect "Remote system type is UNIX." + expect "Using binary mode to transfer files." expect "ftp> " { pass $testname } diff --git a/src/tests/dejagnu/krb-standalone/v4gssftp.exp b/src/tests/dejagnu/krb-standalone/v4gssftp.exp index 6c62f7c65..8d60f3a42 100644 --- a/src/tests/dejagnu/krb-standalone/v4gssftp.exp +++ b/src/tests/dejagnu/krb-standalone/v4gssftp.exp @@ -46,7 +46,11 @@ proc start_ftp_daemon { } { # don't need to use inetd. The 3021 is the port to listen at. # We rely on KRB5_KTNAME being set to the proper keyfile as there is # no way to cleanly set it with the gssapi API. - spawn $FTPD -p 3021 -r $tmppwd/krb.conf + # The -U argument tells it to use an alternate ftpusers file (using + # /dev/null will allow root to login regardless of /etc/ftpusers). + # The -a argument requires authorization, to mitigate any + # vulnerability introduced by circumventing ftpusers. + spawn $FTPD -p 3021 -a -U /dev/null -r $tmppwd/krb.conf set ftpd_spawn_id $spawn_id set ftpd_pid [exp_pid] @@ -128,6 +132,7 @@ proc ftp_restore_env { } { proc v4ftp_test { } { global FTP global KEY + global REALMNAME global hostname global localhostname global env @@ -204,9 +209,9 @@ proc v4ftp_test { } { } expect -nocase "name ($hostname:$env(USER)): " send "$env(USER)\r" -# expect "User $env(USER) logged in." -# expect "Remote system type is UNIX." -# expect "Using binary mode to transfer files." + expect "Kerberos user $env(USER)@$REALMNAME is authorized as $env(USER)" + expect "Remote system type is UNIX." + expect "Using binary mode to transfer files." expect "ftp> " { pass $testname } -- 2.26.2