Re: Multiple 331 password responses in FTP protocol


Ron Natalie (ron@topaz.rutgers.edu)
Fri, 4 Sep 87 12:34:21 EDT


UNIX uses the simple minded approach. Only the first digit is
checked. (This is for infomration).

I think ACCESS/MVS is doing the wrong thing. The reply strings
are supposed to be informative only, the client is supposed to
be able to make it's decisions based on the numbers alone. The
only defined acceptable replies in the spec are 3XX meaning
send account, 2XX Success, and 5XX error. Doing anything else
is just asking for trouble. The last two digits are there to
provide a finer differentiation of the error, but not to change
the flow of control.

Beyond that conceptual problem, if I understand what is going on here,
you're second password string actually changes the password? This is
a horrendous security problem and really ought not to be done in FTP.
Better to just return an error (EXPIRED PASSWORD) and leave the user
to correct the situation through other channels.

-Ron



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:39:15 GMT