On Tue, Feb 02, 2016 at 12:37:19PM -0800, Junio C Hamano wrote: > Dmitry Vilkov <dmitry.a.vilkov@xxxxxxxxx> writes: > > > This is fix of bug introduced by 4dbe66464 commit. > > That would be 4dbe6646 (remote-curl: fall back to Basic auth if > Negotiate fails, 2015-01-08) that appears in v2.3.1 and onward. > > > The problem is that when username/password combination was not set, > > the first HTTP(S) request will fail and user will be asked for > > credentials. As a side effect of first HTTP(S) request, libcurl auth > > method GSS-Negotiate will be disabled unconditionally. Although, we > > haven't tried yet provided credentials for this auth method. I'm unclear in what case you'd need to have a username and password combination with GSS-Negotiate. Kerberos doesn't use your password, although you need some indication of a username (valid or not) to get libcurl to do authentication. Are you basically using a bare URL (without a username component) and waiting for git to prompt you for the username, so that it will then enable authentication? If so, this patch looks fine for that, although I'd expand on the commit message. If not, could you provide an example of what you're trying to do? > Brian, comments? Here is what you wrote in that commit: > > If Basic and something else are offered, libcurl will never > attempt to use Basic, even if the other option fails. Teach the > HTTP client code to stop trying authentication mechanisms that > don't use a password (currently Negotiate) after the first > failure, since if they failed the first time, they will never > succeed. I think what's happening here is no username is ever provided, so libcurl never tries authentication in the first place. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Attachment:
signature.asc
Description: PGP signature