On Tue, Jul 22, 2014 at 10:00:22AM -0700, Junio C Hamano wrote: > "brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> writes: > > > So git uses libcurl with CURLAUTH_ANY. In order for authentication to > > work with libcurl, you have to supply a username. If you specify it in > > the URL, the libcurl realizes that it can use Kerberos, and goes on its > > merry way. > > > > If you don't specify the username in the URL, git notices that > > authentication has failed, and asks the credential store for a username > > and password. git does not know that a password is not needed, so the > > credential subsystem prompts for one anyway. > > Hmmm, does this hint that we might want to be able to tell the > credential subsystem that it is sufficient to have name without > password, or allow the credential subsystem to say "I am giving you > sufficient information" when it returns only username without > password? I just did some testing here, and on my configuration (mod_auth_kerb without Basic authentication fallback), hitting enter at both the username and password prompts results in a successful connection with stock git. This makes sense, because with GSSAPI authentication, your ticket is tied to your username, so no explicit username is needed. If I turn on KrbMethodK5Passwd and try to push without credentials, I can confirm that git refuses, even if the correct password is set. It looks like libcurl really doesn't want to use Basic authentication if there's a "better" choice. Jean-Francois, do you have KrbMethodK5Passwd set to on (the default)? If so, you might try turning it off and forcing Kerberos authentication all the time. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Attachment:
signature.asc
Description: Digital signature