Re: git-http-backend auth via Kerberos

[Dan Langille (dalangil)]

On Dec 19, 2014, at 3:16 PM, brian m. carlson <sand...@crustytoothpaste.net> 
wrote:
> 
> On Fri, Dec 19, 2014 at 03:07:20PM +0000, Dan Langille (dalangil) wrote:
>> Correct, we are trying to avoid that.  In addition, there is only https, no 
>> http.
> 
> I don't think HTTPS versus HTTP matters.  I use Kerberos over HTTPS only
> and it works fine.
> 
>> To be clear, for the following tests, there is no Kerberos ticket.
>> 
>> I tried that URL using three different browsers.  Each time I am prompted for
>> a username & password.  After entering valid credentials, I get:
>> 
>> Chrome: No data received. Unable to load the webpage because the server
>> sent no data. Error code: ERR_EMPTY_RESPONSE
>> 
>> With Firefox: The connection was reset
>> 
>> Safari: Safari Can’t Open The Page
>> 
>> However, I did stumble across something which seems promising.
>> 
>> After the above failures, if I then browse to /gitweb/
>> (where I see expected results) and then go to the info/refs URL you supplied,
>> I see data such as this:
>> 
>>   fe068a8ae55cea4bb90e2cc714107f4c5389d516   refs/heads/0.96.x
>>   d384a963980e9b40e34dea80eac280cf2d4b7c73   refs/heads/0.97.x
>> 
>> Conclusion: there is something in the /gitweb auth which is succeeding and 
>> then
>> allowing /git to work
> 
> That could possibly be due to KrbSaveCredentials.
> 
>> For the record, this is the gitweb auth:
>> 
>> <Location /gitweb>
>>  SSLOptions +StdenvVars
>>  Options +ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
>> 
>>  AuthType           Kerberos
>>  AuthName           “us.example.com"
>>  KrbAuthRealms      us.example.com
>>  KrbServiceName     HTTP/us.example.com
>>  Krb5Keytab         /usr/local/etc/apache22/repo-test.keytab
>>  KrbMethodNegotiate on
>>  KrbMethodk5Passwd  on
> 
> Does it work if you set this value (KrbMethodK5Passwd on) explicitly in
> the other configuration?  That might be sufficient.

No, it does not.

>> That attempt is shown here: http://dpaste.com/04RG37E.txt
>> 
>>> You'll obviously
>>> want to see if the server offers Basic auth as well as Negotiate.
>> 
>> I’m not up on my knowledge here.  You mean the Kerberos server?
> 
> No, I meant the HTTP server, which it looks like from your attempt it
> does.  I'm not really sure what the issue is after looking at that,
> although it looks like Git isn't sending the username and password.
> I'll try to look at this a little more this weekend.

If you can, thanks.  I’ll be happy to run any tests etc.  I’m the second
person here to tackle this and we keep hitting the same block.

cheers

— 
Dan Langille
Infrastructure & Operations
Talos Group
Sourcefire, Inc.
N�����r��y����b�X��ǧv�^�)޺{.n�+����ا���ܨ}���Ơz�&j:+v�������zZ+��+zf���h���~����i���z��w���?�����&�)ߢf