netbsd-bugs: bin/14848: ftpd skey prompt does not comply with RFC2289

Subject: bin/14848: ftpd skey prompt does not comply with RFC2289
To: None <gnats-bugs@gnats.netbsd.org>
From: John F. Woods <jfw@jfwhome.funhouse.com>
List: netbsd-bugs
Date: 12/05/2001 20:44:42

>Number:         14848
>Category:       bin
>Synopsis:       ftpd skey prompt does not comply with RFC2289
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Dec 05 17:47:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     John F. Woods
>Release:        Dec 5, 2001
>Organization:
Misanthropes-R-Us
>Environment:
	
System: NetBSD jfwhome.funhouse.com 1.5X NetBSD 1.5X (JFW) #2: Wed Jul 25 16:33:29 EDT 2001 root@jfwhome.funhouse.com:/usr/src/sys/arch/i386/compile/JFW i386
Architecture: i386
Machine: i386
>Description:
The s/key prompt issued by ftpd looks like this:

331 Password [otp-md4 97 jfwq64344] required for jfw.

RFC2289 says the skey tokens "The three tokens MUST be separated by a white
space (defined as any number of spaces and/or tabs) and the entire challenge
string MUST be terminated with either a space or a new line."

This has, in fact, confused at least one ftp client (Fetch for Macintosh).

>How-To-Repeat:
Buy or borrow a Mac.  (Go ahead, you know you want one!)
Install Fetch.
Set up s/key on your favorite NetBSD host.
Use Fetch to ftp to that host.
Be completely unable to log in because Fetch incorrectly parses the incorrect
challenge.
Read the RFC and discover who is right.
	
>Fix:

Simply appending a space to the challenge is sufficient for RFC compliance
as well as making Fetch work.  Using spaces on both sides is more visually
pleasing and is consistent with "sudo".

*** ftpd.c.orig	Wed Dec  5 20:30:50 2001
--- ftpd.c	Wed Dec  5 20:26:56 2001
***************
*** 707,713 ****
  			const char *myskey;
  
  			myskey = skey_keyinfo(curname);
! 			reply(331, "Password [%s] required for %s.",
  			    myskey ? myskey : "error getting challenge",
  			    curname);
  		} else
--- 707,713 ----
  			const char *myskey;
  
  			myskey = skey_keyinfo(curname);
! 			reply(331, "Password [ %s ] required for %s.",
  			    myskey ? myskey : "error getting challenge",
  			    curname);
  		} else

>Release-Note:
>Audit-Trail:
>Unformatted: