[MERGE] GSSAPI authentication support for FTP

Jelmer Vernooij jelmer at samba.org
Thu Jul 3 00:11:34 BST 2008 

Am Mittwoch, den 02.07.2008, 01:26 -0400 schrieb Martin Pool:
> Martin Pool has voted resubmit.
> Status is now: Resubmit

> +
> +    def gssapi_login(self, user):
> +        # Try GSSAPI login first
> +        resp = self.sendcmd('AUTH GSSAPI')
> +        if resp[:3] == '334':
> +            rc, self.vc = kerberos.authGSSClientInit("ftp@%s" % 
> self.host)
> +            if kerberos.authGSSClientStep(self.vc, "") != 1:
> +                while resp[:3] in ('334', '335'):
> +                    authdata = kerberos.authGSSClientResponse(self.vc)
> +                    resp = self.sendcmd('ADAT ' + authdata)
> +                    if resp[:9] in ('235 ADAT=', '335 ADAT='):
> +                        rc = kerberos.authGSSClientStep(self.vc, 
> resp[9:])
> +                        if not ((resp[:3] == '235' and rc == 1) or
> +                                (resp[:3] == '335' and rc == 0)):
> +                            raise AssertionError
> +            info("Authenticated as %s" % 
> kerberos.authGSSClientUserName(
> +                    self.vc))
> +
> +            # Monkey patch ftplib
> +            self.putcmd = self.mic_putcmd
> +            self.getline = self.mic_getline
> +            self.sendcmd('USER ' + user)
> +            return resp
> 
> When you get something unexpected back it would be nice to raise an 
> error
> that contains e.g. resp so that if a user hits it we have some data to 
> go
> on - and anyhow the message might help them understand what's going 
> wrong.
> Perhaps a generic TransportError would be better than AssertionError.
> 
> What happens if you get a response other than 334?  I would guess 
> there's
> one that means 'not supported' which you should ignore but maybe the
> others should at least give a warning?
I'd rather not warn since I suspect different servers to react quite
differently to this despite the standard. I've added a mutter for now,
since I suspect a warning may be annoying to the majority of users of
the ftp protcol. If it turns out GSSAPI doesn't work unexpectedly for
people, we can always convert it into a warning.

[...]

> Other than that it looks pretty good to me.

Thanks. I've attached an updated patch that fixes the issues you
mentioned.

Cheers,

Jelmer
-- 
Jelmer Vernooij <jelmer at samba.org> - http://samba.org/~jelmer/
Jabber: jelmer at jabber.fsfe.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bzr-ftp-gssapi.patch
Type: text/x-patch
Size: 18443 bytes
Desc: not available
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20080703/a206a5cb/attachment-0001.bin

More information about the bazaar mailing list