Received: (qmail 24924 invoked by uid 2012); 29 Dec 1998 19:50:17 -0000 Message-Id: <19981229195017.24923.qmail@hyperreal.org> Date: 29 Dec 1998 19:50:17 -0000 From: T.Pascal Reply-To: t_pascal@zennet.com To: apbugs@hyperreal.org Subject: Some anonymous FTP URLs ask for authentication X-Send-Pr-Version: 3.2 >Number: 3605 >Category: mod_proxy >Synopsis: Some anonymous FTP URLs ask for authentication >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: suspended >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue Dec 29 13:10:00 PST 1998 >Last-Modified: Wed Apr 28 07:11:03 PDT 1999 >Originator: t_pascal@zennet.com >Organization: >Release: 1.3.3 >Environment: Running Linux 2.0.34 (RedHat 5.2), Apache 1.3.3. >Description: Clients accessing my apache proxy for only *some* ftp URLs get a prompt to enter a username and password, even when no username is given and anonymous access is supposed to be the default (ftp://ftp.cdrom.com/ is the famous one; there's one other that I haven't confirmed). Entering "anonymous" and "you@me.com" makes it go away, but it appears for each download and directory change, and doesn't even remember the last "anonymous" and "me@you.com" password at the very least. Also, probably related: All FTP URLs of the form ftp://username@ftp.something.com/ pop up the authentication box, but do not remember the username (i.e., both boxes are blank). As far as I can tell, ftp://username@ftp.something.com/ only serves to pop up a blank authentication box. ftp://user:pass@ftp.ftp.com/ works fine, but is not a good choice at all. The Apache proxy server is nice, and I hope development continues on it. I especially would like to see FTP PUTs work, as a normal FTP proxy is terribly unsecure with the packet access that has to be allowed. >How-To-Repeat: Using apache 1.3.3 proxy and a Netscape 4.x client, try ftp://ftp.cdrom.com/ >Fix: I suppose cdrom.com has a special ftp server that challenges Apache. Apache might recognize this challenge and substitute anonymous. Or at least remember the previous anonymous user and password... >Audit-Trail: From: "C. Regis Wilson" To: apache-bugdb@apache.org, apbugs@hyperreal.org Cc: apbugs@apache.org Subject: Re: mod_proxy/3605: Some anonymous FTP URLs ask for authentication Date: Thu, 31 Dec 1998 10:26:36 -0800 I'm pleased to announce that I added mod_access, mod_auth, and mod_auth.anon, and it seems to work. Although I figure that mod_auth_anon would have done the job alone. You will still want to check allegations that ftp://user@some.where/ doesn't pop up the box with the username filled in. That is still a problem. Apache is *kick*ass*, by the way. Microsucks uses IIS, and it's no wonder their site is so sucky. From: "C. Regis Wilson" To: apache-bugdb@apache.org, apbugs@hyperreal.org Cc: apbugs@apache.org Subject: Re: mod_proxy/3605: Some anonymous FTP URLs ask for authentication Date: Thu, 31 Dec 1998 10:26:36 -0800 I'm pleased to announce that I added mod_access, mod_auth, and mod_auth.anon, and it seems to work. Although I figure that mod_auth_anon would have done the job alone. You will still want to check allegations that ftp://user@some.where/ doesn't pop up the box with the username filled in. That is still a problem. Apache is *kick*ass*, by the way. Microsucks uses IIS, and it's no wonder their site is so sucky. State-Changed-From-To: open-suspended State-Changed-By: martin State-Changed-When: Wed Apr 28 07:11:03 PDT 1999 State-Changed-Why: Some notes on your PR: If the dialog pops up in the same directory, then probably logins were refused by the ftp server (too many ftp sessions active?). When an (anonymous or previously specified user+password) login attempt fails, apache replies with the 401 Authenticate code. When you change directories (towards the root dir), it's often the browser which doesn't use the same auth info. Apache ftp proxy doesn't "remember" anything. It's the browser that remembers a session's user+pass tuple for a given server. When you start with ftp://user@host/ in the first place, apache attempts to log in with the supplied user name, but when the ftp server replies with a password prompt, it can only (either try to use a default password or) return the 401 Authorization Required response to the browser. However, it cannot make the browser pop up its password dialog with the username filled in already. There's no protocol element in the reply to supply such an initialization string. #### Reason for SUSPEND state: #### You say that the addition of mod_access and mod_auth fixed your problem. If that is so then proxy_ftp should be fixed to check for the presence of these modules. The 401 reply should only be returned if mod_auth is actually available. >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]