📄 rfc2228.txt
字号:
data, it should respond with reply code 335. If the server accepts the security data, but does not require any additional data (i.e., the security data exchange has completed successfully), it must respond with reply code 235. If the server is responding with a 235 or 335 reply code, then it may include security data in the text part of the reply as specified above.Horowitz & Lunt Standards Track [Page 7]
RFC 2228 FTP Security Extensions October 1997 If the ADAT command returns an error, the security data exchange will fail, and the client must reset its internal security state. If the client becomes unsynchronized with the server (for example, the server sends a 234 reply code to an AUTH command, but the client has more data to transmit), then the client must reset the server's security state. PROTECTION BUFFER SIZE (PBSZ) The argument is a decimal integer representing the maximum size, in bytes, of the encoded data blocks to be sent or received during file transfer. This number shall be no greater than can be represented in a 32-bit unsigned integer. This command allows the FTP client and server to negotiate a maximum protected buffer size for the connection. There is no default size; the client must issue a PBSZ command before it can issue the first PROT command. The PBSZ command must be preceded by a successful security data exchange. If the server cannot parse the argument, or if it will not fit in 32 bits, it should respond with a 501 reply code. If the server has not completed a security data exchange with the client, it should respond with a 503 reply code. Otherwise, the server must reply with a 200 reply code. If the size provided by the client is too large for the server, it must use a string of the form "PBSZ=number" in the text part of the reply to indicate a smaller buffer size. The client and the server must use the smaller of the two buffer sizes if both buffer sizes are specified. DATA CHANNEL PROTECTION LEVEL (PROT) The argument is a single Telnet character code specifying the data channel protection level. This command indicates to the server what type of data channel protection the client and server will be using. The following codes are assigned: C - Clear S - Safe E - Confidential P - PrivateHorowitz & Lunt Standards Track [Page 8]
RFC 2228 FTP Security Extensions October 1997 The default protection level if no other level is specified is Clear. The Clear protection level indicates that the data channel will carry the raw data of the file transfer, with no security applied. The Safe protection level indicates that the data will be integrity protected. The Confidential protection level indicates that the data will be confidentiality protected. The Private protection level indicates that the data will be integrity and confidentiality protected. It is reasonable for a security mechanism not to provide all data channel protection levels. It is also reasonable for a mechanism to provide more protection at a level than is required (for instance, a mechanism might provide Confidential protection, but include integrity-protection in that encoding, due to API or other considerations). The PROT command must be preceded by a successful protection buffer size negotiation. If the server does not understand the specified protection level, it should respond with reply code 504. If the current security mechanism does not support the specified protection level, the server should respond with reply code 536. If the server has not completed a protection buffer size negotiation with the client, it should respond with a 503 reply code. The PROT command will be rejected and the server should reply 503 if no previous PBSZ command was issued. If the server is not willing to accept the specified protection level, it should respond with reply code 534. If the server is not able to accept the specified protection level, such as if a required resource is unavailable, it should respond with reply code 431. Otherwise, the server must reply with a 200 reply code to indicate that the specified protection level is accepted. CLEAR COMMAND CHANNEL (CCC) This command does not take an argument.Horowitz & Lunt Standards Track [Page 9]
RFC 2228 FTP Security Extensions October 1997 It is desirable in some environments to use a security mechanism to authenticate and/or authorize the client and server, but not to perform any integrity checking on the subsequent commands. This might be used in an environment where IP security is in place, insuring that the hosts are authenticated and that TCP streams cannot be tampered, but where user authentication is desired. If unprotected commands are allowed on any connection, then an attacker could insert a command on the control stream, and the server would have no way to know that it was invalid. In order to prevent such attacks, once a security data exchange completes successfully, if the security mechanism supports integrity, then integrity (via the MIC or ENC command, and 631 or 632 reply) must be used, until the CCC command is issued to enable non-integrity protected control channel messages. The CCC command itself must be integrity protected. Once the CCC command completes successfully, if a command is not protected, then the reply to that command must also not be protected. This is to support interoperability with clients which do not support protection once the CCC command has been issued. This command must be preceded by a successful security data exchange. If the command is not integrity-protected, the server must respond with a 533 reply code. If the server is not willing to turn off the integrity requirement, it should respond with a 534 reply code. Otherwise, the server must reply with a 200 reply code to indicate that unprotected commands and replies may now be used on the command channel. INTEGRITY PROTECTED COMMAND (MIC) and CONFIDENTIALITY PROTECTED COMMAND (CONF) and PRIVACY PROTECTED COMMAND (ENC) The argument field of MIC is a Telnet string consisting of a base 64 encoded "safe" message produced by a security mechanism specific message integrity procedure. The argument field of CONF is a Telnet string consisting of a base 64 encoded "confidential" message produced by a security mechanism specific confidentiality procedure. The argument field of ENC is a Telnet string consisting of a base 64 encoded "private" message produced by a security mechanism specific message integrity and confidentiality procedure.Horowitz & Lunt Standards Track [Page 10]
RFC 2228 FTP Security Extensions October 1997 The server will decode and/or verify the encoded message. This command must be preceded by a successful security data exchange. A server may require that the first command after a successful security data exchange be CCC, and not implement the protection commands at all. In this case, the server should respond with a 502 reply code. If the server cannot base 64 decode the argument, it should respond with a 501 reply code. If the server has not completed a security data exchange with the client, it should respond with a 503 reply code. If the server has completed a security data exchange with the client using a mechanism which supports integrity, and requires a CCC command due to policy or implementation limitations, it should respond with a 503 reply code. If the server rejects the command because it is not supported by the current security mechanism, the server should respond with reply code 537. If the server rejects the command (if a checksum fails, for instance), it should respond with reply code 535. If the server is not willing to accept the command (if privacy is required by policy, for instance, or if a CONF command is received before a CCC command), it should respond with reply code 533. Otherwise, the command will be interpreted as an FTP command. An end-of-line code need not be included, but if one is included, it must be a Telnet end-of-line code, not a local end-of-line code. The server may require that, under some or all circumstances, all commands be protected. In this case, it should make a 533 reply to commands other than MIC, CONF, and ENC.4. Login Authorization The security data exchange may, among other things, establish the identity of the client in a secure way to the server. This identity may be used as one input to the login authorization process.Horowitz & Lunt Standards Track [Page 11]
RFC 2228 FTP Security Extensions October 1997 In response to the FTP login commands (AUTH, PASS, ACCT), the server may choose to change the sequence of commands and replies specified by RFC 959 as follows. There are also some new replies available. If the server is willing to allow the user named by the USER command to log in based on the identity established by the security data exchange, it should respond with reply code 232. If the security mechanism requires a challenge/response password, it should respond to the USER command with reply code 336. The text part of the reply should contain the challenge. The client must display the challenge to the user before prompting for the password in this case. This is particularly relevant to more sophisticated clients or graphical user interfaces which provide dialog boxes or other modal input. These clients should be careful not to prompt for the password before the username has been sent to the server, in case the user needs the challenge in the 336 reply to construct a valid password.5. New FTP Replies The new reply codes are divided into two classes. The first class is new replies made necessary by the new FTP Security commands. The second class is a new reply type to indicate protected replies. 5.1. New individual reply codes 232 User logged in, authorized by security data exchange. 234 Security data exchange complete. 235 [ADAT=base64data] ; This reply indicates that the security data exchange ; completed successfully. The square brackets are not ; to be included in the reply, but indicate that ; security data in the reply is optional. 334 [ADAT=base64data] ; This reply indicates that the requested security mechanism ; is ok, and includes security data to be used by the client ; to construct the next command. The square brackets are not ; to be included in the reply, but indicate that ; security data in the reply is optional. 335 [ADAT=base64data] ; This reply indicates that the security data is ; acceptable, and more is required to complete the ; security data exchange. The square brackets ; are not to be included in the reply, but indicate ; that security data in the reply is optional.Horowitz & Lunt Standards Track [Page 12]
RFC 2228 FTP Security Extensions October 1997 336 Username okay, need password. Challenge is "...." ; The exact representation of the challenge should be chosen ; by the mechanism to be sensible to the human user of the ; system. 431 Need some unavailable resource to process security. 533 Command protection level denied for policy reasons. 534 Request denied for policy reasons. 535 Failed security check (hash, sequence, etc). 536 Requested PROT level not supported by mechanism. 537 Command protection level not supported by security mechanism. 5.2. Protected replies. One new reply type is introduced: 6yz Protected reply There are three reply codes of this type. The first, reply code 631 indicates an integrity protected reply. The second, reply code 632, indicates a confidentiality and integrity protected reply. the third, reply code 633, indicates a confidentiality protected reply. The text part of a 631 reply is a Telnet string consisting of a base 64 encoded "safe" message produced by a security mechanism specific message integrity procedure. The text part of a 632 reply is a Telnet string consisting of a base 64 encoded "private" message produced by a security mechanism specific message confidentiality and integrity procedure. The text part of a 633 reply is a Telnet string consisting of a base 64 encoded "confidential" message produced by a security mechanism specific message confidentiality procedure. The client will decode and verify the encoded reply. How failures decoding or verifying replies are handled is implementation-specific. An end-of-line code need not be included, but if one is included, it must be a Telnet end- of-line code, not a local end-of-line code. A protected reply may only be sent if a security data exchange has succeeded. The 63z reply may be a multiline reply. In this case, the plaintext reply must be broken up into a number of fragments. Each fragment must be protected, then base 64Horowitz & Lunt Standards Track [Page 13]
RFC 2228 FTP Security Extensions October 1997 encoded in order into a separate line of the multiline reply. There need not be any correspondence between the line breaks in the plaintext reply and the encoded reply. Telnet end-of-line codes must appear in the plaintext of the encoded reply, except for the final end-of-line code, which is optional. The multiline reply must be formatted more strictly than the continuation specification in RFC 959. In particular, each line before the last must be formed by the reply code, followed immediately by a hyphen, followed by a base 64 encoded fragment of the reply. For example, if the plaintext reply is 123-First line Second line 234 A line beginning with numbers 123 The last line then the resulting protected reply could be any of the following (the first example has a line break only to fit within the margins):⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -