Re: [PATCH v3] remote-curl: fall back to Basic auth if Negotiate fails

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I did not test this patch.  Is that holding up a commit?
— 
Dan Langille
Infrastructure & Operations
Talos Group
Sourcefire, Inc.

> On Jan 7, 2015, at 7:29 PM, brian m. carlson <sandals@xxxxxxxxxxxxxxxxxxxx> wrote:
> 
> Apache servers using mod_auth_kerb can be configured to allow the user
> to authenticate either using Negotiate (using the Kerberos ticket) or
> Basic authentication (using the Kerberos password).  Often, one will
> want to use Negotiate authentication if it is available, but fall back
> to Basic authentication if the ticket is missing or expired.
> 
> However, libcurl will try very hard to use something other than Basic
> auth, even over HTTPS.  If Basic and something else are offered, libcurl
> will never attempt to use Basic, even if the other option fails.
> Teach the HTTP client code to stop trying authentication mechanisms that
> don't use a password (currently Negotiate) after the first failure,
> since if they failed the first time, they will never succeed.
> 
> Signed-off-by: brian m. carlson <sandals@xxxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Jeff King <peff@xxxxxxxx>
> ---
> Peff's original change was to get_curl_handle; however, we retry the
> second time with the same slot and we may not call get_curl_handle
> again, so I had to move that change to get_active_slot.  This has been
> tested pushing with both Negotiate and Basic against an HTTPS server
> both when info/refs was protected and when it was not.
> 
> http.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
> 
> diff --git a/http.c b/http.c
> index 040f362..44b130c 100644
> --- a/http.c
> +++ b/http.c
> @@ -62,6 +62,9 @@ static const char *user_agent;
> 
> static struct credential cert_auth = CREDENTIAL_INIT;
> static int ssl_cert_password_required;
> +#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
> +static unsigned long http_auth_methods = CURLAUTH_ANY;
> +#endif
> 
> static struct curl_slist *pragma_header;
> static struct curl_slist *no_pragma_header;
> @@ -580,6 +583,9 @@ struct active_request_slot *get_active_slot(void)
> 	curl_easy_setopt(slot->curl, CURLOPT_UPLOAD, 0);
> 	curl_easy_setopt(slot->curl, CURLOPT_HTTPGET, 1);
> 	curl_easy_setopt(slot->curl, CURLOPT_FAILONERROR, 1);
> +#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
> +	curl_easy_setopt(slot->curl, CURLOPT_HTTPAUTH, http_auth_methods);
> +#endif
> 	if (http_auth.password)
> 		init_curl_http_auth(slot->curl);
> 
> @@ -870,6 +876,9 @@ int handle_curl_result(struct slot_results *results)
> 			credential_reject(&http_auth);
> 			return HTTP_NOAUTH;
> 		} else {
> +#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
> +			http_auth_methods &= ~CURLAUTH_GSSNEGOTIATE;
> +#endif
> 			return HTTP_REAUTH;
> 		}
> 	} else {
> @@ -986,6 +995,7 @@ static void extract_content_type(struct strbuf *raw, struct strbuf *type,
> 		strbuf_addstr(charset, "ISO-8859-1");
> }
> 
> +
> /* http_request() targets */
> #define HTTP_REQUEST_STRBUF	0
> #define HTTP_REQUEST_FILE	1
> -- 
> 2.2.1.209.g41e5f3a
> 

��.n��������+%������w��{.n��������n�r������&��z�ޗ�zf���h���~����������_��+v���)ߣ�

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]