PBSZ/PROT should be allowed before authentication.

[GoogleCodeExporter]

We have a client using the following FTP client "IBM FTP CS V1R9" on an IBM 
mainframe and since moving away from ProFTPd to pyftpdlib they are unable to 
log in and upload files. 

The reason for this is that their client sends PBSZ/PROT before sending the 
username/password. I changed both of these commands to not require 
authentication and that seems to resolve the issue (in my testing) but I am 
waiting for confirmation from the client. 

I read RFC 2228 and didn't see anything saying you had to send USER/PASS before 
PBSZ/PROT; however I could be wrong.

Original issue reported on code.google.com by guppy...@gmail.com on 27 Apr 2011 at 3:32

[GoogleCodeExporter]

I've just tried this script (note: Python 2.7 is required) against proftpd 
configured for using FTPS and PBSZ command is not accepted before 
authenticating (it returns "500 not understood"):

import ftplib
f = ftplib.FTP_TLS()
f.connect("localhost")
f.sendcmd('pbsz 0')
f.login("giampaolo", "********")

If you move "f.sendcmd('pbsz 0')" after logging in then it works fine, so I 
guess the problem might be somewhere else.
Can you verify?
Having a log of the same client session against both pyftpdlib and proftpd 
would be great.

Original comment by g.rodola on 27 Apr 2011 at 7:11

[GoogleCodeExporter]

You'll have to forgive me for the old proftpd version but we couldn't upgrade 
for awhile :)

proftpd 1.2.10 behavior:

>>> import ftplib
>>> f = ftplib.FTP_TLS()
>>> f.connect("192.168.30.233")
'220 192.168.30.233 FTP server ready'
>>> f.sendcmd('pbsz 0')
ftplib.error_perm: 550 SSL/TLS required on the control channel

pyftpdlib behavior:

>>> import ftplib
>>> f = ftplib.FTP_TLS()
>>> f.connect("192.168.30.233", 2121)
'220 192.168.30.233 ready.'
>>> f.sendcmd('pbsz 0')
ftplib.error_perm: 530 Log in with USER and PASS first.

I'm not sure which is the correct behavior; however, it doesn't look like 
having these accepted before USER/PASS is against any RFC.

Thanks,
Jeff

Original comment by guppy...@gmail.com on 28 Apr 2011 at 4:02

[GoogleCodeExporter]

vsftpd also does this:

>>> import ftplib
>>> f = ftplib.FTP_TLS() 
>>> f.connect('techmonkeys.org')    
'220 (vsFTPd 2.0.5)'
>>> f.sendcmd('pbsz 0')
ftplib.error_perm: 503 PBSZ needs a secure connection.
>>> 

Original comment by guppy...@gmail.com on 28 Apr 2011 at 3:44

[GoogleCodeExporter]

Yeah... point is it's kind of illogical for a client to issue PBSZ/PROT 
*before* authenticating since those commands tells the server whether or not 
using SSL for the data connection, which is not even starting yet (you have to 
authenticate and issue PASV/PORT first).

Same applies for all other commands involving the data channel.

> I'm not sure which is the correct behavior; however, it doesn't look like 
having 
> these accepted before USER/PASS is against any RFC.

Ok, but by looking at what you pasted both vsftpd, proftpd and pyftpdlib reject 
PBSZ before authentication, so I'm not sure what problem we're talking about 
here.
Maybe the problem you were experiencing has not been fixed by you changing the 
default commands behavior but for another cause.

Original comment by g.rodola on 28 Apr 2011 at 4:05

[GoogleCodeExporter]

You know, I think it's just the error message that might be messing things up.

Original comment by guppy...@gmail.com on 28 Apr 2011 at 8:18

[GoogleCodeExporter]

You mean sending 503 instead of 550?

Original comment by g.rodola on 1 May 2011 at 6:17

[GoogleCodeExporter]

Is there any harm in allowing this in the first place?  I know you're saying 
it's illogical, but it doesn't seem that allowing PBSZ/PROT before 
authenticating will effect anything at all.

I'm seeing the same issue with FireFTP (which I imagine is far more popular 
then an IBM mainframe FTP client).  FireFTP will refuse to connect unless PBSZ 
returns a 2XX result code.

I can confirm pure-ftp allows this:
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 17:38. Server port: 21.
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
       AUTH TLS
234 AUTH TLS OK.
       PBSZ 0
200 PBSZ=0
       USER xxxx
331 User xxxx OK. Password required
       PASS (password not shown)
230 OK. Current restricted directory is /
       FEAT
211-Extensions supported:
EPRT
IDLE
MDTM
SIZE
REST STREAM
MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
MLSD
AUTH TLS
PBSZ
PROT
ESTA
PASV
EPSV
SPSV
ESTP
211 End.

I've modified the code locally to allow this command to happen before auth, and 
everything seems to work fine.

Original comment by d...@devicenull.org on 28 Jun 2011 at 9:39

[GoogleCodeExporter]

Sorry for the delay, I kinda forgot about this issue.
In r877 I allowed PBSZ and PROT to be issued before authentication.

Original comment by g.rodola on 14 Jul 2011 at 9:06

• Changed state: FixedInSVN
• Added labels: Compatibility, SSL, Usability

[GoogleCodeExporter]

Original comment by g.rodola on 31 Oct 2011 at 5:11

• Added labels: Milestone-0.6.1

[GoogleCodeExporter]

Original comment by g.rodola on 3 Jan 2012 at 11:40

• Added labels: Milestone-0.7.0

[GoogleCodeExporter]

0.7.0 is out. Closing this out as definitively fixed.

Original comment by g.rodola on 25 Jan 2012 at 7:24

• Changed state: Fixed
• Added labels: Version-0.6.0