Quantcast

Anonymous FTP and login pass url based

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Anonymous FTP and login pass url based

Al Batard
Hi,

I use squid3.1.18 / dansguardian 2.10.1.1 on Centos 5.7 and I meet a problem with FTP.

When I connect to a ftp site in anonymous through a web browser, no soucy.
When I connect to a ftp site with no anonymous configured as default, with ftp://login:pass@ftp-site through a web browser, no soucy. "ftp_epsv" parameter is off (default on). The popup appears on the screen.

But when I connect to a ftp site using anonymous as default and if I'm using login/password to access a specific folder, ftp://login:pass@ftp-site not works.

It seems that if anonymous is ok on the ftp site, not using login/password of the url ftp://login:pass@ftp-site.

My compilation options

Default


./configure 
--prefix=/usr/share/squid --bindir=/usr/sbin --sbindir=/usr/sbin
--sysconfdir=/etc/squid --localstatedir=/var --libdir=/usr/lib64/squid
--datarootdir=/usr/share --docdir=/usr/share/doc/squid-3.1.11
--enable-delay-pools --enable-cache-digests --disable-ident-lookups
--enable-follow-x-forwarded-for --enable-icmp --enable-useragent-log
--with-pidfile=/var/run/squid.pid --with-logdir=/data/squid/log
--with-large-files --enable-ssl --with-default-user=squid
--enable-linux-netfilter --enable-esi


Try


./configure 
--prefix=/usr/share/squid --bindir=/usr/sbin --sbindir=/usr/sbin
--sysconfdir=/etc/squid --localstatedir=/var --libdir=/usr/lib64/squid
--datarootdir=/usr/share --docdir=/usr/share/doc/squid-3.1.18
--enable-delay-pools --enable-cache-digests
--enable-follow-x-forwarded-for --enable-icmp --enable-useragent-log
--with-pidfile=/var/run/squid.pid --with-logdir=/data/squid/log
--with-large-files --enable-ssl --with-default-user=squid
--enable-linux-netfilter --enable-esi --enable-auth=basic
--enable-ident-lookups


Regards,

Guillaume
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Anonymous FTP and login pass url based

Amos Jeffries
Administrator
On 16/12/2011 9:28 p.m., Al Batard wrote:

> Hi,
>
> I use squid3.1.18 / dansguardian 2.10.1.1 on Centos 5.7 and I meet a problem with FTP.
>
> When I connect to a ftp site in anonymous through a web browser, no soucy.
> When I connect to a ftp site with no anonymous configured as default, with ftp://login:pass@ftp-site through a web browser, no soucy. "ftp_epsv" parameter is off (default on). The popup appears on the screen.
>
> But when I connect to a ftp site using anonymous as default and if I'm using login/password to access a specific folder, ftp://login:pass@ftp-site not works.
>
> It seems that if anonymous is ok on the ftp site, not using login/password of the url ftp://login:pass@ftp-site.

So what is the problem then?

Amos

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re : [squid-users] Anonymous FTP and login pass url based

Al Batard
Hi Amos,

Thanks for your answer.

My problem is if a ftp site use both default anonymous and login/password, squid not send login/password and only use anonymous.


I tried without Squid proxy and login/password in url based is ok for this ftp site.

Guillaume



----- Mail original -----
De : Amos Jeffries <[hidden email]>
À : [hidden email]
Cc :
Envoyé le : Vendredi 16 Décembre 2011 9h54
Objet : Re: [squid-users] Anonymous FTP and login pass url based

On 16/12/2011 9:28 p.m., Al Batard wrote:

> Hi,
>
> I use squid3.1.18 / dansguardian 2.10.1.1 on Centos 5.7 and I meet a problem with FTP.
>
> When I connect to a ftp site in anonymous through a web browser, no soucy.
> When I connect to a ftp site with no anonymous configured as default, with ftp://login:pass@ftp-site through a web browser, no soucy. "ftp_epsv" parameter is off (default on). The popup appears on the screen.
>
> But when I connect to a ftp site using anonymous as default and if I'm using login/password to access a specific folder, ftp://login:pass@ftp-site not works.
>
> It seems that if anonymous is ok on the ftp site, not using login/password of the url ftp://login:pass@ftp-site.

So what is the problem then?

Amos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Re : [squid-users] Anonymous FTP and login pass url based

Amos Jeffries
Administrator
On 16/12/2011 10:15 p.m., Al Batard wrote:

> Hi Amos,
>
> Thanks for your answer.
>
> My problem is if a ftp site use both default anonymous and login/password, squid not send login/password and only use anonymous.
>
>
> I tried without Squid proxy and login/password in url based is ok for this ftp site.
>
> Guillaume

Ah. Thanks.

Can you provide an FTP protocol sequence displaying the error?
You can get a cache.log trace of FTP with "debugs_options 9,2" in any of
the recent Squid releases.

Amos

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based

Al Batard
Hi,


This is the log of the ftp connection to ftp site that accepts anonymous and login/pass  (ftp://login:pass@ftpsite in url). Only Anonymous is used. Not my login / password.
On a ftp site with anonymous login denied, user / password appear in log.


- log of the ftp site with anonymous and login / pass authorized :


2011/12/16 13:46:53.474| ftp>> 220 FTP Server ready.
2011/12/16 13:46:53.474| ftp<< USER anonymous

2011/12/16 13:46:53.500| ftp>> 331 Anonymous login ok, send your complete email address as your password
2011/12/16 13:46:53.500| ftp<< PASS Squid@

2011/12/16 13:46:53.548| ftp>> 230 Anonymous login ok, restrictions apply.
2011/12/16 13:46:53.548| ftp<< TYPE A

2011/12/16 13:46:53.575| ftp>> 200 Type set to A
2011/12/16 13:46:53.575| ftp<< PASV

2011/12/16 13:46:53.601| ftp>> 227 Entering Passive Mode (86,66,22,5,238,97).
2011/12/16 13:46:53.627| ftp<< LIST

2011/12/16 13:46:53.653| ftp>> 150 Opening ASCII mode data connection for file list
2011/12/16 13:46:53.744| ftp>> 226 Transfer complete
2011/12/16 13:46:53.744| ftp<< QUIT

2011/12/16 13:46:53.771| ftp>> 221 Goodbye.



- log of the ftp site with login / pass authorized only :

2011/12/16 13:50:09.781| ftp>> 220 FTP XXXXXXXXXXXXXXXX


2011/12/16 13:50:09.781| ftp<< USER login

2011/12/16 13:50:09.810| ftp>> 331 Password required for login
2011/12/16 13:50:09.810| ftp<< PASS password

2011/12/16 13:50:09.871| ftp>> 230 User login logged in
2011/12/16 13:50:09.871| ftp<< TYPE A

2011/12/16 13:50:09.906| ftp>> 200 Type set to A
2011/12/16 13:50:09.906| ftp<< PASV

2011/12/16 13:50:09.933| ftp>> 227 Entering Passive Mode (86,65,55,2,183,40).
2011/12/16 13:50:09.963| ftp<< LIST

2011/12/16 13:50:09.990| ftp>> 150 Opening ASCII mode data connection for file list
2011/12/16 13:50:10.024| ftp>> 226 Transfer complete
2011/12/16 13:50:10.024| ftp<< QUIT


2011/12/16 13:50:10.055| ftp>> 221 Goodbye.



Regards,

Guillaume




----- Mail original -----
De : Amos Jeffries <[hidden email]>
À : [hidden email]
Cc :
Envoyé le : Vendredi 16 Décembre 2011 10h22
Objet : Re: [squid-users] Re : [squid-users] Anonymous FTP and login pass url based

On 16/12/2011 10:15 p.m., Al Batard wrote:

> Hi Amos,
>
> Thanks for your answer.
>
> My problem is if a ftp site use both default anonymous and login/password, squid not send login/password and only use anonymous.
>
>
> I tried without Squid proxy and login/password in url based is ok for this ftp site.
>
> Guillaume

Ah. Thanks.

Can you provide an FTP protocol sequence displaying the error?
You can get a cache.log trace of FTP with "debugs_options 9,2" in any of
the recent Squid releases.

Amos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re : [squid-users] Anonymous FTP and login pass url based

Henrik Nordström
Please try testing this with squidclient or another dumb http client.

The major browsers are all pretty braindead in different manners when it
comes to non-anonymous FTP URLs and can confuse matters greatly.

Regards
Henrik

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based

Al Batard
Hi Henrik,

I try IE8, FF, and squidclient ... and the result is the same.

Without Squid proxy, ftp://login:password@siteftp on a ftp site which used anonymous as default and authenticated access, the connexion with login / password is ok.
With Squid proxy, ftp://login:password@siteftp only return anonymous access.

Regards


Guillaume





----- Mail original -----
De : Henrik Nordström <[hidden email]>
À : Al Batard <[hidden email]>
Cc : "[hidden email]" <[hidden email]>
Envoyé le : Samedi 17 Décembre 2011 3h54
Objet : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based

Please try testing this with squidclient or another dumb http client.

The major browsers are all pretty braindead in different manners when it
comes to non-anonymous FTP URLs and can confuse matters greatly.

Regards
Henrik
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based

Amos Jeffries
Administrator
In reply to this post by Al Batard
On 17/12/2011 2:24 a.m., Al Batard wrote:

> Hi,
>
>
> This is the log of the ftp connection to ftp site that accepts anonymous and login/pass  (ftp://login:pass@ftpsite in url). Only Anonymous is used. Not my login / password.
> On a ftp site with anonymous login denied, user / password appear in log.
>
>
> - log of the ftp site with anonymous and login / pass authorized :
>
>
> 2011/12/16 13:46:53.474| ftp>>  220 FTP Server ready.
> 2011/12/16 13:46:53.474| ftp<<  USER anonymous
>
> <snip>
>
> 2011/12/16 13:46:53.653| ftp>>  150 Opening ASCII mode data connection for file list
> 2011/12/16 13:46:53.744| ftp>>  226 Transfer complete
> 2011/12/16 13:46:53.744| ftp<<  QUIT
>
> 2011/12/16 13:46:53.771| ftp>>  221 Goodbye.

This is a successful transfer. The data got to Squid using anonymous
access. There is no problem with auth here.

Do you have a trace from this server when requesting something from the
login-required area of the site?


>
>
>
> - log of the ftp site with login / pass authorized only :
>
> 2011/12/16 13:50:09.781| ftp>>  220 FTP XXXXXXXXXXXXXXXX
>
>
> 2011/12/16 13:50:09.781| ftp<<  USER login

I think there is some trace missing here. An earlier connect attempt to
the FTP server using anon access, which fails.
Either way, auth happened and the object was fetched. Again, no problem
with auth here.

Amos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based

Henrik Nordström
mån 2011-12-19 klockan 23:53 +1300 skrev Amos Jeffries:

> Do you have a trace from this server when requesting something from the
> login-required area of the site?

If the requested URL contains login credentials then anonymous FTP login
SHOULD NOT be attempted.

Regards
Henrik

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based

Amos Jeffries
Administrator
On 20/12/2011 9:35 p.m., Henrik Nordström wrote:

> mån 2011-12-19 klockan 23:53 +1300 skrev Amos Jeffries:
>
>> Do you have a trace from this server when requesting something from the
>> login-required area of the site?
> If the requested URL contains login credentials then anonymous FTP login
> SHOULD NOT be attempted.
>
> Regards
> Henrik
>

Sorry. My brain seems to have died :(   see the src/ftp.cc checkAuth()
function for reality.

Default is username "anonymous" with password from config file (default
"Squid@"). Which gets overridden by HTTP Basic auth headers (if any).
Which then gets overridden by URL details (if any).

The final result of all that merging is what gets sent to the server in
a single USER command. (I was thinking of it incorrectly as the order of
several USER commands)

Amos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re : [squid-users] Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based

Al Batard
Hi and thanks for your answers,

If I understand this is a bug in the order of ftp authentication ?

Guillaume



----- Mail original -----
De : Amos Jeffries <[hidden email]>
À : [hidden email]
Cc :
Envoyé le : Mardi 20 Décembre 2011 12h00
Objet : Re: [squid-users] Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based

On 20/12/2011 9:35 p.m., Henrik Nordström wrote:

> mån 2011-12-19 klockan 23:53 +1300 skrev Amos Jeffries:
>
>> Do you have a trace from this server when requesting something from the
>> login-required area of the site?
> If the requested URL contains login credentials then anonymous FTP login
> SHOULD NOT be attempted.
>
> Regards
> Henrik
>

Sorry. My brain seems to have died :(   see the src/ftp.cc checkAuth() function for reality.

Default is username "anonymous" with password from config file (default "Squid@"). Which gets overridden by HTTP Basic auth headers (if any). Which then gets overridden by URL details (if any).

The final result of all that merging is what gets sent to the server in a single USER command. (I was thinking of it incorrectly as the order of several USER commands)

Amos

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re : [squid-users] Anonymous FTP and login pass url based

Amos Jeffries
Administrator
On 28/12/2011 1:02 a.m., Al Batard wrote:
> Hi and thanks for your answers,
>
> If I understand this is a bug in the order of ftp authentication ?

Yes, though what is unknown. Which Squid version are you seeing it in?

And can you get an FTP section level-9 debug trace. It should show the
exact username processing steps performed. With both encoded and decoded
user/pass, so be careful replying here with anything.

Amos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based

Al Batard
Hi,

I tried
 debug_options 9,9 and the first process performed is anonymous login
(not user / password if exists). User / password are used after if
anonymous authentication failed. If ftp site used both Anonymous and
User/ password and anonymous connection is ok, User /password
authentication is not performed.

Seeing  in Squid 3.1.11 and 3.1.18.

Thanks,

Guillaume


----- Mail original -----
De : Amos Jeffries <[hidden email]>
À : [hidden email]
Cc :
Envoyé le : Mercredi 28 Décembre 2011 3h39
Objet : [squid-users] Re : [squid-users] Anonymous FTP and login pass url based

On 28/12/2011 1:02 a.m., Al Batard wrote:
> Hi and thanks for your answers,
>
> If I understand this is a bug in the order of ftp authentication ?

Yes, though what is unknown. Which Squid version are you seeing it in?

And can you get an FTP section level-9 debug trace. It should show the exact username processing steps performed. With both encoded and decoded user/pass, so be careful replying here with anything.

Amos

Loading...