Re: git-http-backend auth via Kerberos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Dec 19, 2014 at 03:07:20PM +0000, Dan Langille (dalangil) wrote:
> Correct, we are trying to avoid that.  In addition, there is only https, no http.

I don't think HTTPS versus HTTP matters.  I use Kerberos over HTTPS only
and it works fine.

> To be clear, for the following tests, there is no Kerberos ticket.
> 
> I tried that URL using three different browsers.  Each time I am prompted for
> a username & password.  After entering valid credentials, I get:
> 
> Chrome: No data received. Unable to load the webpage because the server
> sent no data. Error code: ERR_EMPTY_RESPONSE
> 
> With Firefox: The connection was reset
> 
> Safari: Safari Can’t Open The Page
> 
> However, I did stumble across something which seems promising.
> 
> After the above failures, if I then browse to /gitweb/
> (where I see expected results) and then go to the info/refs URL you supplied,
> I see data such as this:
> 
>    fe068a8ae55cea4bb90e2cc714107f4c5389d516	refs/heads/0.96.x
>    d384a963980e9b40e34dea80eac280cf2d4b7c73	refs/heads/0.97.x
> 
> Conclusion: there is something in the /gitweb auth which is succeeding and then
> allowing /git to work

That could possibly be due to KrbSaveCredentials.

> For the record, this is the gitweb auth:
> 
> <Location /gitweb>
>   SSLOptions +StdenvVars
>   Options +ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
> 
>   AuthType           Kerberos
>   AuthName           “us.example.com"
>   KrbAuthRealms      us.example.com
>   KrbServiceName     HTTP/us.example.com
>   Krb5Keytab         /usr/local/etc/apache22/repo-test.keytab
>   KrbMethodNegotiate on
>   KrbMethodk5Passwd  on

Does it work if you set this value (KrbMethodK5Passwd on) explicitly in
the other configuration?  That might be sufficient.

> 
> That attempt is shown here: http://dpaste.com/04RG37E.txt
> 
> > You'll obviously
> > want to see if the server offers Basic auth as well as Negotiate.
> 
> I’m not up on my knowledge here.  You mean the Kerberos server?

No, I meant the HTTP server, which it looks like from your attempt it
does.  I'm not really sure what the issue is after looking at that,
although it looks like Git isn't sending the username and password.
I'll try to look at this a little more this weekend.
-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]