FTP Malarky with Gibberish Users
Hello all, I'm seeking to improve the security of my website. Content is maintained using Dreamweaver via FTP. Authentication is with LDAPUserFolder 2.3. I've never been able to get medusa to disallow anonymous/gibberish logins. Please tell me someone knows how to do this. I'd like users who type in passwords incorrectly to be denied access, not stuck in "No Priviledges Land - Population 1". Those people without passwords and usernames should be denied access entirely, not be allowed to flood my server with commands that are, of course, denied. It's really obnoxious to have to service those that would do this, rather than deny them outright. I'm game for some monkey patches, if so required. Zope 2.6.2, for those that would ask. Thanks in advance, Edward
Hi Edward, Edward Pollard schrieb:
Hello all,
I'm seeking to improve the security of my website. Content is maintained using Dreamweaver via FTP. Authentication is with LDAPUserFolder 2.3.
I've never been able to get medusa to disallow anonymous/gibberish logins. Please tell me someone knows how to do this. I'd like users who type in passwords incorrectly to be denied access, not stuck in "No Priviledges Land - Population 1".
Those people without passwords and usernames should be denied access entirely, not be allowed to flood my server with commands that are, of course, denied. It's really obnoxious to have to service those that would do this, rather than deny them outright.
I'm game for some monkey patches, if so required.
Zope 2.6.2, for those that would ask.
Beside using an FTP-proxy, you can change some defaults in the Code to use mechanism already built in. Here is something I did: in FTPServer.py, there is the comment at the beginning: 43 FTP Authorization 44 45 Zope supports both normal and anonymous logins. It can be difficult 46 to authorize Zope users since they are defined in distributed user 47 databases. Normally, all logins will be accepted and then the user must 48 proceed to 'cd' to a directory in which they are authorized. In this 49 case for the purpose of FTP limits, the user is considered anonymous 50 until they cd to an authorized directory. 51 52 Optionally, users can login with a special username which indicates 53 where they are defined. Their login will then be authenticated in 54 the indicated directory, and they will not be considered anonymous. 55 The form of the name is '<username>@<path>' where path takes the forrm 56 '<folder id>[/<folder id>...]' For example: 'amos@Foo/Bar' This will 57 authenticate the user 'amos' in the directory '/Foo/Bar'. In addition 58 the user's FTP session will be rooted in the authenticated directory, 59 i.e. they will not be able to cd out of the directory. This means, if we fake logins without @ to have a special folder in it, we can force authentication - and get a changeroot for grant. See: 460 def cmd_pass(self, line): 461 'specify password' 462 if len(line) < 2: 463 pw = '' 464 else: 465 pw = line[1] 466 self.password=pw 467 i=self.userid.find('@') 468 if i ==-1: 469 if self.server.limiter.check_limit(self): 470 self.respond ('230 Login successful.') 471 self.authorized = 1 472 self.anonymous = 1 473 self.log_info ('Successful login.') 474 else: 475 self.respond('421 User limit reached. Closing connection.') 476 self.close_when_done() 477 else: 478 path=self.userid[i+1:] 479 self.userid=self.userid[:i] 480 self.anonymous=None 481 response=make_response(self, self.pass_completion, 482 self._join_paths('/',path)) 483 request=FTPRequest(path,'PASS',self,response) 484 handle(self.module,request,response) The else part is what we want here, so we can simple sourge it out, for example if we modify all userids to contain @ and the desired path, like this: between 466 and 477: self.userid=self.userid.split("@")[0]+"@/rootpathforallusers" HTH Tino Wildenhain
On Jan 27, 2004, at 2:02 AM, Tino Wildenhain wrote: The else part is what we want here, so we can simple sourge it out, for example if we modify all userids to contain @ and the desired path, like this: between 466 and 477: self.userid=self.userid.split("@")[0]+"@/rootpathforallusers" Thank you for the exemplary advice. I changed the code as follows (sorry, no line numbers). Please advise if you think I've done a horrible thing. I wanted to allow users to specify different directories for where they exist, so I only take unspecified usernames and bind them against the LDAPUserFolder at /www. This will allow superusers to still FTP as normal into Zope. i=self.userid.find('@') if i ==-1: self.userid=self.userid+"@/www" i = self.userid.find('@') # if i ==-1: # if self.server.limiter.check_limit(self): # self.respond ('230 Login successful.') # self.authorized = 1 # self.anonymous = 1 # self.log_info ('Successful login.') # else: # self.respond('421 User limit reached. Closing connection.') # self.close_when_done() # else: path=self.userid[i+1:] The remainder of the function has been brought back one indent level, there is no else clause anymore. But I have a problem. I beg indulgence as this seems to perhaps not be a problem with Zope, but with Dreamweaver. Before I go into details, let me explain why I'm bringing it to you all: as far as I am aware, it is standard in FTP that the user have read access to the entire tree above his or her connection point. So as far as I can tell some of the things DW is trying to do with its connection, while uneccesary, are valid. Medusa is not actually changing the root directory for the user (regardless of the comments in ZServer.py implying that it would), so CWD / is failing. This seems to be the source of my consternation. So, as follows: Dreamweaver is our primary FTP client. And with this change, it works - 50% of the time. If I go into the site manager, and click connect, it connects fine. Z2.log excerpt follows (IP's sanitized for privacy): 0.0.0.0 50839 ==> 220 castor FTP server (Medusa Async V1.21 [experimental]) ready. 0.0.0.0 50839 <== USER pollej 0.0.0.0 50839 ==> 331 Password required. 0.0.0.0 50839 <== PASS <password> 0.0.0.0 50839 ==> 230 Login successful. 0.0.0.0 50839 <== SYST 0.0.0.0 50839 ==> 215 UNIX Type: L8 0.0.0.0 50839 <== CWD /www/ftptest <--------------------- Note this line 0.0.0.0 50839 ==> 250 CWD command successful. 0.0.0.0 50839 <== CWD /www/ftptest/_mm 0.0.0.0 50839 ==> 550 No such directory. 0.0.0.0 50839 <== CWD / 0.0.0.0 50839 ==> 530 Unauthorized. 0.0.0.0 50839 <== CWD / 0.0.0.0 50839 ==> 530 Unauthorized. 0.0.0.0 50839 <== CWD / 0.0.0.0 50839 ==> 530 Unauthorized. 0.0.0.0 50839 <== PWD 0.0.0.0 50839 ==> 257 "/www/ftptest" is the current directory. 0.0.0.0 50839 <== TYPE A 0.0.0.0 50839 ==> 200 Type set to ASCII. 0.0.0.0 50839 <== PASV 0.0.0.0 50839 ==> 227 Entering Passive Mode (142,66,0,0,226,201) 0.0.0.0 50839 <== LIST 0.0.0.0 50839 ==> 150 Opening ASCII mode data connection for file list 0.0.0.0 50839 ==> 226 Transfer complete Everything is fine. I now disconnect, and then reconnect. 0.0.0.0 50841 ==> 220 castor FTP server (Medusa Async V1.21 [experimental]) ready. 0.0.0.0 50841 <== USER pollej 0.0.0.0 50841 ==> 331 Password required. 0.0.0.0 50841 <== PASS <password> 0.0.0.0 50841 ==> 230 Login successful. 0.0.0.0 50841 <== SYST 0.0.0.0 50841 ==> 215 UNIX Type: L8 0.0.0.0 50841 <== CWD /www/ftptest/_mm 0.0.0.0 50841 ==> 550 No such directory. 0.0.0.0 50841 <== CWD / 0.0.0.0 50841 ==> 530 Unauthorized. 0.0.0.0 50841 <== CWD / 0.0.0.0 50841 ==> 530 Unauthorized. 0.0.0.0 50841 <== CWD / 0.0.0.0 50841 ==> 530 Unauthorized. 0.0.0.0 50841 <== PWD 0.0.0.0 50841 ==> 257 "/www" is the current directory. 0.0.0.0 50841 <== TYPE A 0.0.0.0 50841 ==> 200 Type set to ASCII. 0.0.0.0 50841 <== PASV 0.0.0.0 50841 ==> 227 Entering Passive Mode (142,66,0,0,226,202) 0.0.0.0 50841 <== LIST 0.0.0.0 50841 ==> 150 Opening ASCII mode data connection for file list 0.0.0.0 50841 ==> 226 Transfer complete You will notice one important line is missing in the second log excerpt. Why? I don't know. What is even more peculiar is that Dreamweaver thinks it is in the same directory in both conditions, "/www/ftptest", but it is not. In the second instance displays the content of "/www" is displayed. Attempting to navigate the server under this condition results in failure, as it issues CWD commands as if it were already in "/www/ftptest" (ie. clicking on ftptest issues a "CWD /www/ftptest/ftptest" command) If I enable FTP Access for Anonymous the entire problem goes away - Dreamweaver connections are always succesful and behave properly. However gibberish users can now connect and download to their hearts content. I hope I've managed to explain my problem sensibly, and I hope even more someone can present some insight on how to make Zope play nice with this particular FTP client, if that is at all possible.
participants (2)
-
Edward Pollard -
Tino Wildenhain