Re: [PATCH] remote-curl: fall back to Basic auth if Negotiate fails.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, Dec 27, 2014 at 12:56:04PM -0500, Jeff King wrote:
> On Sat, Dec 27, 2014 at 04:01:33AM +0000, brian m. carlson wrote:
> 
> > Apache servers using mod_auth_kerb can be configured to allow the user
> > to authenticate either using Negotiate (using the Kerberos ticket) or
> > Basic authentication (using the Kerberos password).  Often, one will
> > want to use Negotiate authentication if it is available, but fall back
> > to Basic authentication if the ticket is missing or expired.
> > 
> > Teach the HTTP client code to stop trying authentication mechanisms that
> > don't use a password (currently Negotiate) after the first failure,
> > since if they failed the first time, they will never succeed.
> > 
> > Signed-off-by: brian m. carlson <sandals@xxxxxxxxxxxxxxxxxxxx>
> > ---
> > I was able to reproduce the problem on my server.  This fixes the
> > problem for me both when info/refs requires authentication and when it
> > does not.  Dan, please try and see if this fixes the problem for you.
> > 
> > I'm not clear on whether NTLM is a passwordless authentication method.
> > Since I don't use Windows or NTLM, I can't test it, but if it is, just
> > adding it to HTTP_AUTH_PASSWORDLESS should be sufficient.
> 
> I don't think this should make things any worse for NTLM if it is. It
> would just not get the benefit of the feature you are adding, and
> somebody with a working setup can test and add it at that time, right?

Correct.

> I'm not familiar enough with Negotiate auth to do give a thorough review
> on the logic above. But FWIW, it makes sense to me, and the code looks
> correct.

libcurl will try very hard to use something other than Basic auth, even
over HTTPS.  If Basic and something else are offered, libcurl will never
use Basic.  I should probably make a note of that in the commit message.

> The credential struct is already a global for all requests. If you made
> the "no_passwordless" flag similarly global, it would be enough to set
> it in handle_curl_result and respect it in get_curl_handle.

I'll reroll with that change.
-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]