Bug 25885

Summary:

telnet -a off still uses SRA authentication

Product:

Base System

Reporter:

Cy Schubert <Cy.Schubert>

Component:

bin

Assignee:

Mark Murray <markm>

Status:

Closed FIXED

Severity:

Affects Only Me

Priority:

Normal

Version:

Unspecified

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
file.diff	none
smime.p7s	none
smime.p7s	none

Description Cy Schubert 2001-03-18 01:40:01 UTC

	"telnetd -a off" continues to use SRA.  The man page documents
	it should not.

Fix: The following patch fixes src/libexec/telnetd and src/crypto/telnet/telnetd.
How-To-Repeat: 	Telnet from a FreeBSD system to a FreeBSD system which has
	"telnetd -a off" specified in inetd.conf.

Comment 1 Cy Schubert 2001-03-18 04:31:36 UTC

Sorry, the patch is bad.  I fat fingered the first patch corrupting it 
after testing the patch but before creating the diff file.  The 
following patch is correct.

--- src/libexec/telnetd/state.c.orig	Mon Mar  5 03:25:26 2001
+++ src/libexec/telnetd/state.c	Sat Mar 17 16:45:15 2001
@@ -564,8 +564,10 @@
 
 #ifdef	AUTHENTICATION
 		case TELOPT_AUTHENTICATION:
-			func = auth_request;
-			changeok++;
+			if (auth_level >= 0) {
+				func = auth_request;
+				changeok++;
+			}
 			break;
 #endif
 
@@ -624,7 +626,8 @@
 
 #ifdef	AUTHENTICATION
 		case TELOPT_AUTHENTICATION:
-			func = auth_request;
+			if (auth_level >= 0)
+				func = auth_request;
 			break;
 #endif
 
@@ -724,7 +727,8 @@
 
 #if	defined(AUTHENTICATION)
 		case TELOPT_AUTHENTICATION:
-			auth_finished(0, AUTH_REJECT);
+			if (auth_level >= 0)
+				auth_finished(0, AUTH_REJECT);
 			break;
 #endif
 
@@ -777,7 +781,8 @@
 
 #if	defined(AUTHENTICATION)
 		case TELOPT_AUTHENTICATION:
-			auth_finished(0, AUTH_REJECT);
+			if (auth_level >= 0)
+				auth_finished(0, AUTH_REJECT);
 			break;
 #endif
 		default:
@@ -1418,6 +1423,8 @@
     }  /* end of case TELOPT_NEW_ENVIRON */
 #if	defined(AUTHENTICATION)
     case TELOPT_AUTHENTICATION:
+	if (auth_level < 0)
+		break;
 	if (SB_EOF())
 		break;
 	switch(SB_GET()) {
--- src/libexec/telnetd/telnetd.c.orig	Mon Mar  5 03:26:45 2001
+++ src/libexec/telnetd/telnetd.c	Sat Mar 17 16:28:56 2001
@@ -616,14 +616,16 @@
 
     settimer(baseline);
 #if	defined(AUTHENTICATION)
-    /*
-     * Handle the Authentication option before we do anything else.
-     */
-    send_do(TELOPT_AUTHENTICATION, 1);
-    while (his_will_wont_is_changing(TELOPT_AUTHENTICATION))
-	ttloop();
-    if (his_state_is_will(TELOPT_AUTHENTICATION)) {
-	retval = auth_wait(name);
+    if (auth_level >= 0) 
+	/*
+	 * Handle the Authentication option before we do anything else.
+	 */
+	send_do(TELOPT_AUTHENTICATION, 1);
+	while (his_will_wont_is_changing(TELOPT_AUTHENTICATION))
+	    ttloop();
+	if (his_state_is_will(TELOPT_AUTHENTICATION)) {
+	    retval = auth_wait(name);
+	}
     }
 #endif
 
--- src/libexec/telnetd/utility.c.orig	Mon Oct 30 21:31:47 2000
+++ src/libexec/telnetd/utility.c	Sat Mar 17 16:45:25 2001
@@ -971,6 +971,8 @@
 
 #if	defined(AUTHENTICATION)
 	case TELOPT_AUTHENTICATION:
+	    if (auth_level < 0)
+		break;
 	    sprintf(nfrontp, "AUTHENTICATION");
 	    nfrontp += strlen(nfrontp);
 
--- src/crypto/telnet/telnetd/state.c.orig	Fri Aug 27 18:26:15 1999
+++ src/crypto/telnet/telnetd/state.c	Sat Mar 17 16:52:41 2001
@@ -582,8 +582,10 @@
 
 #ifdef	AUTHENTICATION
 		case TELOPT_AUTHENTICATION:
-			func = auth_request;
-			changeok++;
+			if (auth_level >= 0) {
+				func = auth_request;
+				changeok++;
+			}
 			break;
 #endif
 
@@ -648,7 +650,8 @@
 
 #ifdef	AUTHENTICATION
 		case TELOPT_AUTHENTICATION:
-			func = auth_request;
+			if (auth_level >= 0)
+				func = auth_request;
 			break;
 #endif
 
@@ -752,7 +755,8 @@
 
 #if	defined(AUTHENTICATION)
 		case TELOPT_AUTHENTICATION:
-			auth_finished(0, AUTH_REJECT);
+			if (auth_level >= 0)
+				auth_finished(0, AUTH_REJECT);
 			break;
 #endif
 
@@ -805,7 +809,9 @@
 
 #if	defined(AUTHENTICATION)
 		case TELOPT_AUTHENTICATION:
-			auth_finished(0, AUTH_REJECT);
+			if (auth_level >= 0) {
+				auth_finished(0, AUTH_REJECT);
+			}
 			break;
 #endif
 		default:
@@ -1451,6 +1457,8 @@
     }  /* end of case TELOPT_NEW_ENVIRON */
 #if	defined(AUTHENTICATION)
     case TELOPT_AUTHENTICATION:
+	if (auth_level < 0)
+		break;
 	if (SB_EOF())
 		break;
 	switch(SB_GET()) {
--- src/crypto/telnet/telnetd/telnetd.c.orig	Mon Mar  5 03:35:42 2001
+++ src/crypto/telnet/telnetd/telnetd.c	Sat Mar 17 17:08:49 2001
@@ -640,14 +640,16 @@
 
     settimer(baseline);
 #if	defined(AUTHENTICATION)
-    /*
-     * Handle the Authentication option before we do anything else.
-     */
-    send_do(TELOPT_AUTHENTICATION, 1);
-    while (his_will_wont_is_changing(TELOPT_AUTHENTICATION))
-	ttloop();
-    if (his_state_is_will(TELOPT_AUTHENTICATION)) {
-	retval = auth_wait(name);
+    if (auth_level >= 0) {
+	/*
+	 * Handle the Authentication option before we do anything else.
+	 */
+	send_do(TELOPT_AUTHENTICATION, 1);
+	while (his_will_wont_is_changing(TELOPT_AUTHENTICATION))
+	    ttloop();
+	if (his_state_is_will(TELOPT_AUTHENTICATION)) {
+	    retval = auth_wait(name);
+	}
     }
 #endif
 
--- src/crypto/telnet/telnetd/utility.c.orig	Mon Mar  5 03:37:25 2001
+++ src/crypto/telnet/telnetd/utility.c	Sat Mar 17 16:54:59 2001
@@ -1012,6 +1012,8 @@
 
 #if	defined(AUTHENTICATION)
 	case TELOPT_AUTHENTICATION:
+	    if (auth_level < 0)
+		break;
 	    sprintf(nfrontp, "AUTHENTICATION");
 	    nfrontp += strlen(nfrontp);
 


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC

Comment 2 stolz 2001-08-18 19:11:40 UTC

This PR can be closed

Reason:
telnet -X sra now behaves as it should (last checked on 4.4-PRE).
-- 
"I came out of it dead broke, without a house, without anything, except
a girlfriend and a knowledge of Unix." "Well, that´s something. Normally
those two are mutually exclusive." N. Stephenson, "Cryptonomicon"

Comment 3 stolz 2001-08-18 19:26:12 UTC

Stupid, stupid, stupid. Don´t know what I tested,
telnetd -X sra / -a off is still borked, guess I must
have tested with "telnet -X sra localhost" because of
some PAM/login stuff I´m currently working out.
-- 
"I came out of it dead broke, without a house, without anything, except
a girlfriend and a knowledge of Unix." "Well, that´s something. Normally
those two are mutually exclusive." N. Stephenson, "Cryptonomicon"

Comment 4 Joseph Koshy freebsd_committer

2001-08-20 09:33:13 UTC

Responsible Changed
From-To: freebsd-bugs->markm

Markm maintains telnet{,d} and their crypto equivalents.

Comment 5 Cy Schubert 2001-08-28 06:08:07 UTC

Agreed.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD
Ministry of Management Services
Province of BC

In message <3B7EAFDC.3AB4A3A7@i2.informatik.rwth-aachen.de>, Volker =

Stolz write
s:
> This is a cryptographically signed message in MIME format.
> =

> --------------msED14C1BCF475674DE7213E38
> Content-Type: text/plain; charset=3Diso-8859-1
> Content-Transfer-Encoding: 8bit
> =

> This PR can be closed
> =

> Reason:
> telnet -X sra now behaves as it should (last checked on 4.4-PRE).
> -- =

> "I came out of it dead broke, without a house, without anything, except=

> a girlfriend and a knowledge of Unix." "Well, that=B4s something. Norma=
lly
> those two are mutually exclusive." N. Stephenson, "Cryptonomicon"
> --------------msED14C1BCF475674DE7213E38
> Content-Type: application/x-pkcs7-signature; name=3D"smime.p7s"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename=3D"smime.p7s"
> Content-Description: S/MIME Cryptographic Signature
> =

> MIIFmQYJKoZIhvcNAQcCoIIFijCCBYYCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaC=
C
> A0YwggNCMIICq6ADAgECAg5ZtgAAAAIvAuEdW+x2hTANBgkqhkiG9w0BAQQFADCBvDELMAk=
G
> A1UEBhMCREUxEDAOBgNVBAgTB0hhbWJ1cmcxEDAOBgNVBAcTB0hhbWJ1cmcxOjA4BgNVBAo=
T
> MVRDIFRydXN0Q2VudGVyIGZvciBTZWN1cml0eSBpbiBEYXRhIE5ldHdvcmtzIEdtYkgxIjA=
g
> BgNVBAsTGVRDIFRydXN0Q2VudGVyIENsYXNzIDEgQ0ExKTAnBgkqhkiG9w0BCQEWGmNlcnR=
p
> ZmljYXRlQHRydXN0Y2VudGVyLmRlMB4XDTAxMDYxMTE2NDY1OVoXDTAyMDYxMTE2NDY1OVo=
w
> VzELMAkGA1UEBhMCREUxFTATBgNVBAMTDFZvbGtlciBTdG9sejExMC8GCSqGSIb3DQEJARY=
i
> c3RvbHpAaTIuaW5mb3JtYXRpay5yd3RoLWFhY2hlbi5kZTCBnzANBgkqhkiG9w0BAQEFAAO=
B
> jQAwgYkCgYEA8yx0h5hC2nFxFa94YfCvUY1iZgkctI2yzzzLB5uEHoSiIv+a4sCO+x7zkiD=
Y
> b6NvABATGrW7E6VWRjQu6QhQhJP7BQ4LUxDnG0p28q6WK177eW5r0Fpet01q/d0Jkm8nK72=
b
> AH4YEJ0MF3FyxUqCBeVlDcAJEalIigXXsia/WAkCAwEAAaOBqjCBpzAzBglghkgBhvhCAQg=
E
> JhYkaHR0cDovL3d3dy50cnVzdGNlbnRlci5kZS9ndWlkZWxpbmVzMBEGCWCGSAGG+EIBAQQ=
E
> AwIFoDBdBglghkgBhvhCAQMEUBZOaHR0cHM6Ly93d3cudHJ1c3RjZW50ZXIuZGUvY2dpLWJ=
p
> bi9jaGVjay1yZXYuY2dpLzU5QjYwMDAwMDAwMjJGMDJFMTFENUJFQzc2ODU/MA0GCSqGSIb=
3
> DQEBBAUAA4GBAIEDGk47MKqF6ekljkY0fsJcBCPFm98WXVweBZWLS1Hy1p+JDhlezAK3g6o=
c
> SaejAnkX7aAoeMPQBNAITVRg+zowhZon05e4wki9m8w7dBKGGl7Jmh5/LXiCE3ob7BBOhFt=
K
> Kt9sr+4Rdm/JoBiaYwDwTd2MKdwUgfaE67fWltICMYICGzCCAhcCAQEwgc8wgbwxCzAJBgN=
V
> BAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdIYW1idXJnMTowOAYDVQQKEzF=
U
> QyBUcnVzdENlbnRlciBmb3IgU2VjdXJpdHkgaW4gRGF0YSBOZXR3b3JrcyBHbWJIMSIwIAY=
D
> VQQLExlUQyBUcnVzdENlbnRlciBDbGFzcyAxIENBMSkwJwYJKoZIhvcNAQkBFhpjZXJ0aWZ=
p
> Y2F0ZUB0cnVzdGNlbnRlci5kZQIOWbYAAAACLwLhHVvsdoUwCQYFKw4DAhoFAKCBojAYBgk=
q
> hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMTA4MTgxODExNDBaMCM=
G
> CSqGSIb3DQEJBDEWBBTkKP/8lBfdIaGnFjNbmT7AAQTlzzBDBgkqhkiG9w0BCQ8xNjA0MAo=
G
> CCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggqhkiG9w0DAgIBQDANBgk=
q
> hkiG9w0BAQEFAASBgAxk6kD20AEvhCiJ0wh58EaiTXDI3hY6g3A2xmeQ3AaMXj88k10Sser=
i
> pQ/HpbCwTw/En4aaKQWtV4lMau8RPWPFIdfoyWgsVMrtYuaOt4kOxK596PKduMTUCPRgzEe=
d
> 52T6jZF71K5T3tHFlqPtWvRgO66mrYV7WzgGHxgEZq5e
> --------------msED14C1BCF475674DE7213E38--
> =

Comment 6 Mark Murray freebsd_committer

2001-08-28 10:33:52 UTC

State Changed
From-To: open->closed

Originator agrees the PR can be closed.