Re: [PATCH v2] remote-curl: fall back to Basic auth if Negotiate fails
On Tue, Jan 06, 2015 at 04:07:01PM +, Dan Langille (dalangil) wrote: HTTP/1.1 401 Authorization Required Date: Tue, 06 Jan 2015 16:02:48 GMT Server: Apache WWW-Authenticate: Negotiate Your server is set up incorrectly. You should see a Negotiate line and a Basic line as well. Right now, you only have Negotiate set up, so if you don't have a ticket, it's going to fail. I'd recommend making sure that you can access it using a web browser after running kdestroy. That will ensure that it's working properly. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Re: [PATCH v2] remote-curl: fall back to Basic auth if Negotiate fails
On Jan 5, 2015, at 6:53 PM, brian m. carlson sand...@crustytoothpaste.net wrote: On Mon, Jan 05, 2015 at 09:23:32PM +, Dan Langille (dalangil) wrote: I have tried both patches. Neither succeeds here. I patched git version 2.2.1 but I don’t think that affects this. You are patching the client side, correct? That's the side that needs patching here. Yes, I am. Just so the list knows, I will be sending a reroll to the existing patch, but the patches I've posted do indeed work in my testing. I appreciate the patches. I blame something here. The patches don’t t apply cleanly to git-2.2.1 or to the latest git source I just cloned. I had to copy/paste some two chunks in http.c and everything in remote-curl.c. Looking at the source, the place to patch is there, just on a different line number. [dvl@porter93 /usr/ports/devel/git/work/git-2.2.1]$ sudo patch ~dvl/patch2.txt Hmm... Looks like a unified diff to me... The text leading up to this was: -- |diff --git a/http.c b/http.c |index 040f362..815194d 100644 |--- a/http.c |+++ b/http.c -- Patching file http.c using Plan A... Hunk #1 succeeded at 62. Hunk #2 succeeded at 988 with fuzz 2. Hunk #3 failed at 1047. Hunk #4 failed at 1154. 2 out of 4 hunks failed--saving rejects to http.c.rej Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -- |diff --git a/http.h b/http.h |index 473179b..71943d3 100644 |--- a/http.h |+++ b/http.h -- Patching file http.h using Plan A... Hunk #1 succeeded at 98 with fuzz 2. Hunk #2 succeeded at 114. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -- |diff --git a/remote-curl.c b/remote-curl.c |index dd63bc2..4ca5447 100644 |--- a/remote-curl.c |+++ b/remote-curl.c -- Patching file remote-curl.c using Plan A... Hunk #1 failed at 467. Hunk #2 failed at 513. Hunk #3 failed at 538. Hunk #4 failed at 625. 4 out of 4 hunks failed--saving rejects to remote-curl.c.rej done Before I flood the list with debug runs, I wanted to make sure I was testing with an appropriate configuration: Location /git SSLOptions +StdenvVars Options +ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch # By default, allow access to anyone. Order allow,deny Allow from All # Enable Kerberos authentication using mod_auth_kerb. AuthType Kerberos AuthName “us.example.org KrbAuthRealms us.example.org # I have tried both with and without the following line: KrbServiceName HTTP/us.example.org Krb5Keytab /usr/local/etc/apache22/repo-test.keytab KrbMethodNegotiate on KrbSaveCredentials on KrbVerifyKDC on KrbServiceName Any # I have tried with and without this line: KrbMethodk5Passwd on Require valid-user /Location I'm not sure why it's not working for you. Here's a snippet from my config: SetEnv GIT_HTTP_EXPORT_ALL 1 SetEnv REMOTE_USER $REDIRECT_REMOTE_USER AuthType Kerberos AuthName Kerberos Login KrbMethodNegotiate on KrbMethodK5Passwd off KrbAuthRealms CRUSTYTOOTHPASTE.NET Krb5Keytab /etc/krb5.apache.keytab When I was testing, I set KrbMethodK5Passwd to on and it did in fact work. I'm using Debian's Apache 2.4.10-9 with mod_auth_kerb 5.4-2.2. That didn’t seem to help, but perhaps the patching is the issue. N�r��yb�X��ǧv�^�){.n�+ا���ܨ}���Ơz�j:+v���zZ+��+zf���h���~i���z��w���?��)ߢf
Re: [PATCH v2] remote-curl: fall back to Basic auth if Negotiate fails
On Jan 6, 2015, at 10:31 AM, Dan Langille (dalangil) dalan...@cisco.com wrote: On Jan 5, 2015, at 6:53 PM, brian m. carlson sand...@crustytoothpaste.net wrote: On Mon, Jan 05, 2015 at 09:23:32PM +, Dan Langille (dalangil) wrote: I have tried both patches. Neither succeeds here. I patched git version 2.2.1 but I don’t think that affects this. You are patching the client side, correct? That's the side that needs patching here. Yes, I am. Just so the list knows, I will be sending a reroll to the existing patch, but the patches I've posted do indeed work in my testing. I appreciate the patches. I blame something here. The patches don’t t apply cleanly to git-2.2.1 or to the latest git source I just cloned. I had to copy/paste some two chunks in http.c and everything in remote-curl.c. NOTE: I now realize these problems are caused by tabs being converted to spaces when downloading the patch. I’m going to test again.
Re: [PATCH v2] remote-curl: fall back to Basic auth if Negotiate fails
On Jan 6, 2015, at 10:31 AM, Dan Langille (dalangil) dalan...@cisco.com wrote: On Jan 5, 2015, at 6:53 PM, brian m. carlson sand...@crustytoothpaste.net wrote: On Mon, Jan 05, 2015 at 09:23:32PM +, Dan Langille (dalangil) wrote: I have tried both patches. Neither succeeds here. I patched git version 2.2.1 but I don’t think that affects this. You are patching the client side, correct? That's the side that needs patching here. Yes, I am. Just so the list knows, I will be sending a reroll to the existing patch, but the patches I've posted do indeed work in my testing. I appreciate the patches. I blame something here. The patches don’t t apply cleanly to git-2.2.1 or to the latest git source I just cloned. I had to copy/paste some two chunks in http.c and everything in remote-curl.c. I tried again, with a proper copy of your patch. Cleanly patched versions of git 2.2.1 and from a recent clone of the repo both give 'Authentication failed’ when doing a clone without a ticket. I’m sure there’s something here which is at fault. Here is the client side debugging. Is this what is expected? Tested with a clone of git from this morning. [dan@porter93 ~/tmp/tmp]$ ~/src/git/git clone https://us.example.org/git/clamav-bytecode-compiler Cloning into 'clamav-bytecode-compiler'... warning: templates not found /usr/home/dan/share/git-core/templates * Couldn't find host us.example.org in the .netrc file; using defaults * Hostname was NOT found in DNS cache * Trying 10.0.0.1... * Connected to us.example.org (10.0.0.1) port 443 (#0) * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * SSL connection using TLSv1.0 / DHE-RSA-CAMELLIA256-SHA * Server certificate: *subject: REDACTED *start date: REDACTED *expire date: REDACTED *issuer: REDACTED *SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. GET /git/clamav-bytecode-compiler/info/refs?service=git-upload-pack HTTP/1.1 User-Agent: git/2.2.1.212.gc5b9256.dirty Host: us.example.org Accept: */* Accept-Encoding: gzip Pragma: no-cache HTTP/1.1 401 Authorization Required Date: Tue, 06 Jan 2015 16:02:38 GMT Server: Apache WWW-Authenticate: Negotiate Content-Length: 401 Content-Type: text/html; charset=iso-8859-1 * Connection #0 to host us.example.org left intact Username for 'https://us.example.org': Password for 'https://d...@us.example.org': * Couldn't find host us.example.org in the .netrc file; using defaults * Connection 0 seems to be dead! * Closing connection 0 * Hostname was found in DNS cache * Trying 10.0.0.1... * Connected to us.example.org (10.0.0.1) port 443 (#1) * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * SSL re-using session ID * SSL connection using TLSv1.0 / DHE-RSA-CAMELLIA256-SHA * Server certificate: *subject: REDACTED *start date: REDACTED *expire date: REDACTED *issuer: REDACTED *SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. GET /git/clamav-bytecode-compiler/info/refs?service=git-upload-pack HTTP/1.1 User-Agent: git/2.2.1.212.gc5b9256.dirty Host: us.example.org Accept: */* Accept-Encoding: gzip Pragma: no-cache HTTP/1.1 401 Authorization Required Date: Tue, 06 Jan 2015 16:02:48 GMT Server: Apache WWW-Authenticate: Negotiate Content-Length: 401 Content-Type: text/html; charset=iso-8859-1 * Connection #1 to host us.example.org left intact fatal: Authentication failed for 'https://us.example.org/git/clamav-bytecode-compiler/' [dan@porter93 ~/tmp/tmp]$ N�r��yb�X��ǧv�^�){.n�+ا���ܨ}���Ơz�j:+v���zZ+��+zf���h���~i���z��w���?��)ߢf
Re: [PATCH v2] remote-curl: fall back to Basic auth if Negotiate fails
On Mon, Jan 05, 2015 at 09:23:32PM +, Dan Langille (dalangil) wrote: I have tried both patches. Neither succeeds here. I patched git version 2.2.1 but I don’t think that affects this. You are patching the client side, correct? That's the side that needs patching here. Just so the list knows, I will be sending a reroll to the existing patch, but the patches I've posted do indeed work in my testing. Before I flood the list with debug runs, I wanted to make sure I was testing with an appropriate configuration: Location /git SSLOptions +StdenvVars Options +ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch # By default, allow access to anyone. Order allow,deny Allow from All # Enable Kerberos authentication using mod_auth_kerb. AuthType Kerberos AuthName “us.example.org KrbAuthRealms us.example.org # I have tried both with and without the following line: KrbServiceName HTTP/us.example.org Krb5Keytab /usr/local/etc/apache22/repo-test.keytab KrbMethodNegotiate on KrbSaveCredentials on KrbVerifyKDC on KrbServiceName Any # I have tried with and without this line: KrbMethodk5Passwd on Require valid-user /Location I'm not sure why it's not working for you. Here's a snippet from my config: SetEnv GIT_HTTP_EXPORT_ALL 1 SetEnv REMOTE_USER $REDIRECT_REMOTE_USER AuthType Kerberos AuthName Kerberos Login KrbMethodNegotiate on KrbMethodK5Passwd off KrbAuthRealms CRUSTYTOOTHPASTE.NET Krb5Keytab /etc/krb5.apache.keytab When I was testing, I set KrbMethodK5Passwd to on and it did in fact work. I'm using Debian's Apache 2.4.10-9 with mod_auth_kerb 5.4-2.2. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Re: [PATCH v2] remote-curl: fall back to Basic auth if Negotiate fails
I’ve found the latest patch. Trying this now. Thanks. — Dan Langille Infrastructure Operations Talos Group Sourcefire, Inc. On Jan 1, 2015, at 2:56 PM, brian m. carlson sand...@crustytoothpaste.net wrote: Apache servers using mod_auth_kerb can be configured to allow the user to authenticate either using Negotiate (using the Kerberos ticket) or Basic authentication (using the Kerberos password). Often, one will want to use Negotiate authentication if it is available, but fall back to Basic authentication if the ticket is missing or expired. However, libcurl will try very hard to use something other than Basic auth, even over HTTPS. If Basic and something else are offered, libcurl will never attempt to use Basic, even if the other option fails. Teach the HTTP client code to stop trying authentication mechanisms that don't use a password (currently Negotiate) after the first failure, since if they failed the first time, they will never succeed. Signed-off-by: brian m. carlson sand...@crustytoothpaste.net --- http.c| 16 http.h| 3 +++ remote-curl.c | 11 ++- 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/http.c b/http.c index 040f362..815194d 100644 --- a/http.c +++ b/http.c @@ -62,6 +62,8 @@ static const char *user_agent; static struct credential cert_auth = CREDENTIAL_INIT; static int ssl_cert_password_required; +/* Should we allow non-password-based authentication (e.g. GSSAPI)? */ +int http_passwordless_auth = 1; static struct curl_slist *pragma_header; static struct curl_slist *no_pragma_header; @@ -986,6 +988,16 @@ static void extract_content_type(struct strbuf *raw, struct strbuf *type, strbuf_addstr(charset, ISO-8859-1); } +void disable_passwordless_auth(struct active_request_slot *slot) +{ +#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY +#define HTTP_AUTH_PASSWORDLESS (CURLAUTH_GSSNEGOTIATE) + curl_easy_setopt(slot-curl, CURLOPT_HTTPAUTH, + CURLAUTH_ANY ~HTTP_AUTH_PASSWORDLESS); +#endif +} + + /* http_request() targets */ #define HTTP_REQUEST_STRBUF 0 #define HTTP_REQUEST_FILE 1 @@ -1035,6 +1047,9 @@ static int http_request(const char *url, curl_easy_setopt(slot-curl, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(slot-curl, CURLOPT_ENCODING, gzip); + if (!http_passwordless_auth) + disable_passwordless_auth(slot); + ret = run_one_slot(slot, results); if (options options-content_type) { @@ -1139,6 +1154,7 @@ static int http_request_reauth(const char *url, } credential_fill(http_auth); + http_passwordless_auth = 0; return http_request(url, result, target, options); } diff --git a/http.h b/http.h index 473179b..71943d3 100644 --- a/http.h +++ b/http.h @@ -98,6 +98,8 @@ extern int handle_curl_result(struct slot_results *results); int run_one_slot(struct active_request_slot *slot, struct slot_results *results); +void disable_passwordless_auth(struct active_request_slot *slot); + #ifdef USE_CURL_MULTI extern void fill_active_slots(void); extern void add_fill_function(void *data, int (*fill)(void *)); @@ -112,6 +114,7 @@ extern int active_requests; extern int http_is_verbose; extern size_t http_post_buffer; extern struct credential http_auth; +extern int http_passwordless_auth; extern char curl_errorstr[CURL_ERROR_SIZE]; diff --git a/remote-curl.c b/remote-curl.c index dd63bc2..4ca5447 100644 --- a/remote-curl.c +++ b/remote-curl.c @@ -467,6 +467,9 @@ static int probe_rpc(struct rpc_state *rpc, struct slot_results *results) curl_easy_setopt(slot-curl, CURLOPT_WRITEFUNCTION, fwrite_buffer); curl_easy_setopt(slot-curl, CURLOPT_FILE, buf); + if (!http_passwordless_auth) + disable_passwordless_auth(slot); + err = run_slot(slot, results); curl_slist_free_all(headers); @@ -510,8 +513,10 @@ static int post_rpc(struct rpc_state *rpc) do { err = probe_rpc(rpc, results); - if (err == HTTP_REAUTH) + if (err == HTTP_REAUTH) { credential_fill(http_auth); + http_passwordless_auth = 0; + } } while (err == HTTP_REAUTH); if (err != HTTP_OK) return -1; @@ -533,6 +538,9 @@ retry: curl_easy_setopt(slot-curl, CURLOPT_URL, rpc-service_url); curl_easy_setopt(slot-curl, CURLOPT_ENCODING, gzip); + if (!http_passwordless_auth) + disable_passwordless_auth(slot); + if (large_request) { /* The request body is large and the size cannot be predicted. * We must use chunked encoding to send it. @@ -617,6 +625,7 @@ retry: err = run_slot(slot, NULL); if (err == HTTP_REAUTH !large_request) {
Re: [PATCH v2] remote-curl: fall back to Basic auth if Negotiate fails
I have tried both patches. Neither succeeds here. I patched git version 2.2.1 but I don’t think that affects this. Before I flood the list with debug runs, I wanted to make sure I was testing with an appropriate configuration: Location /git SSLOptions +StdenvVars Options +ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch # By default, allow access to anyone. Order allow,deny Allow from All # Enable Kerberos authentication using mod_auth_kerb. AuthType Kerberos AuthName “us.example.org KrbAuthRealms us.example.org # I have tried both with and without the following line: KrbServiceName HTTP/us.example.org Krb5Keytab /usr/local/etc/apache22/repo-test.keytab KrbMethodNegotiate on KrbSaveCredentials on KrbVerifyKDC on KrbServiceName Any # I have tried with and without this line: KrbMethodk5Passwd on Require valid-user /Location With a valid ticket, the above works for a git clone. — Dan Langille Infrastructure Operations Talos Group Sourcefire, Inc. On Jan 1, 2015, at 2:56 PM, brian m. carlson sand...@crustytoothpaste.net wrote: Apache servers using mod_auth_kerb can be configured to allow the user to authenticate either using Negotiate (using the Kerberos ticket) or Basic authentication (using the Kerberos password). Often, one will want to use Negotiate authentication if it is available, but fall back to Basic authentication if the ticket is missing or expired. However, libcurl will try very hard to use something other than Basic auth, even over HTTPS. If Basic and something else are offered, libcurl will never attempt to use Basic, even if the other option fails. Teach the HTTP client code to stop trying authentication mechanisms that don't use a password (currently Negotiate) after the first failure, since if they failed the first time, they will never succeed. Signed-off-by: brian m. carlson sand...@crustytoothpaste.net --- http.c| 16 http.h| 3 +++ remote-curl.c | 11 ++- 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/http.c b/http.c index 040f362..815194d 100644 --- a/http.c +++ b/http.c @@ -62,6 +62,8 @@ static const char *user_agent; static struct credential cert_auth = CREDENTIAL_INIT; static int ssl_cert_password_required; +/* Should we allow non-password-based authentication (e.g. GSSAPI)? */ +int http_passwordless_auth = 1; static struct curl_slist *pragma_header; static struct curl_slist *no_pragma_header; @@ -986,6 +988,16 @@ static void extract_content_type(struct strbuf *raw, struct strbuf *type, strbuf_addstr(charset, ISO-8859-1); } +void disable_passwordless_auth(struct active_request_slot *slot) +{ +#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY +#define HTTP_AUTH_PASSWORDLESS (CURLAUTH_GSSNEGOTIATE) + curl_easy_setopt(slot-curl, CURLOPT_HTTPAUTH, + CURLAUTH_ANY ~HTTP_AUTH_PASSWORDLESS); +#endif +} + + /* http_request() targets */ #define HTTP_REQUEST_STRBUF 0 #define HTTP_REQUEST_FILE 1 @@ -1035,6 +1047,9 @@ static int http_request(const char *url, curl_easy_setopt(slot-curl, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(slot-curl, CURLOPT_ENCODING, gzip); + if (!http_passwordless_auth) + disable_passwordless_auth(slot); + ret = run_one_slot(slot, results); if (options options-content_type) { @@ -1139,6 +1154,7 @@ static int http_request_reauth(const char *url, } credential_fill(http_auth); + http_passwordless_auth = 0; return http_request(url, result, target, options); } diff --git a/http.h b/http.h index 473179b..71943d3 100644 --- a/http.h +++ b/http.h @@ -98,6 +98,8 @@ extern int handle_curl_result(struct slot_results *results); int run_one_slot(struct active_request_slot *slot, struct slot_results *results); +void disable_passwordless_auth(struct active_request_slot *slot); + #ifdef USE_CURL_MULTI extern void fill_active_slots(void); extern void add_fill_function(void *data, int (*fill)(void *)); @@ -112,6 +114,7 @@ extern int active_requests; extern int http_is_verbose; extern size_t http_post_buffer; extern struct credential http_auth; +extern int http_passwordless_auth; extern char curl_errorstr[CURL_ERROR_SIZE]; diff --git a/remote-curl.c b/remote-curl.c index dd63bc2..4ca5447 100644 --- a/remote-curl.c +++ b/remote-curl.c @@ -467,6 +467,9 @@ static int probe_rpc(struct rpc_state *rpc, struct slot_results *results) curl_easy_setopt(slot-curl, CURLOPT_WRITEFUNCTION, fwrite_buffer); curl_easy_setopt(slot-curl, CURLOPT_FILE, buf); + if (!http_passwordless_auth) + disable_passwordless_auth(slot); + err = run_slot(slot, results); curl_slist_free_all(headers); @@ -510,8 +513,10 @@ static int post_rpc(struct rpc_state *rpc) do {
Re: [PATCH v2] remote-curl: fall back to Basic auth if Negotiate fails
On Thu, Jan 01, 2015 at 07:56:27PM +, brian m. carlson wrote: +void disable_passwordless_auth(struct active_request_slot *slot) +{ +#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY +#define HTTP_AUTH_PASSWORDLESS (CURLAUTH_GSSNEGOTIATE) + curl_easy_setopt(slot-curl, CURLOPT_HTTPAUTH, + CURLAUTH_ANY ~HTTP_AUTH_PASSWORDLESS); +#endif +} I like that you are trying to put a layer of abstraction around what passwordless means here, but it seems like there are two layers. The function itself abstracts the idea, and then there is an extra HTTP_AUTH_PASSWORDLESS macro. Since the concept is already confined to this function and used only once, it might be more readable to simply get rid of HTTP_AUTH_PASSWORD. @@ -1035,6 +1047,9 @@ static int http_request(const char *url, curl_easy_setopt(slot-curl, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(slot-curl, CURLOPT_ENCODING, gzip); + if (!http_passwordless_auth) + disable_passwordless_auth(slot); + ret = run_one_slot(slot, results); if (options options-content_type) { @@ -1139,6 +1154,7 @@ static int http_request_reauth(const char *url, } credential_fill(http_auth); + http_passwordless_auth = 0; return http_request(url, result, target, options); } This pattern gets repeated in several places. Now that http_passwordless_auth is a global, can we handle it automatically for the callers, as below (which, aside from compiling, is completely untested by me)? Note that this is in a slightly different boat than credential_fill. Ideally we would also handle picking up credentials on behalf of the callers of get_curl_handle/handle_curl_result. But that may involve significant work and/or prompting the user, which we _must_ avoid if we do not know if we are going to retry the request (and only the caller knows that for sure). However, in the case of http_passwordless_auth, we are just setting a flag, so it's OK to do it preemptively. diff --git a/http.c b/http.c index 040f362..2bbcdf1 100644 --- a/http.c +++ b/http.c @@ -62,6 +62,8 @@ static const char *user_agent; static struct credential cert_auth = CREDENTIAL_INIT; static int ssl_cert_password_required; +/* Should we allow non-password-based authentication (e.g. GSSAPI)? */ +static int http_passwordless_auth = 1; static struct curl_slist *pragma_header; static struct curl_slist *no_pragma_header; @@ -318,7 +320,12 @@ static CURL *get_curl_handle(void) curl_easy_setopt(result, CURLOPT_NETRC, CURL_NETRC_OPTIONAL); #endif #ifdef LIBCURL_CAN_HANDLE_AUTH_ANY - curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY); + { + int flags = CURLAUTH_ANY; + if (!http_passwordless_auth) + flags = ~CURLAUTH_GSSNEGOTIATE; + curl_easy_setopt(result, CURLOPT_HTTPAUTH, flags); + } #endif if (http_proactive_auth) @@ -870,6 +877,7 @@ int handle_curl_result(struct slot_results *results) credential_reject(http_auth); return HTTP_NOAUTH; } else { + http_passwordless_auth = 0; return HTTP_REAUTH; } } else { Note that you could probably drop http_passwordless_auth completely, and just keep a: static int http_auth_methods = CURLAUTH_ANY; and then drop CURLAUTH_GSSNEGOTIATE from it instead of setting the passwordless_auth flag to 0 (again, it happens in one place, so I don't know that it needs an extra layer of abstraction). -Peff -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2] remote-curl: fall back to Basic auth if Negotiate fails
On Sat, Jan 03, 2015 at 06:19:23AM -0500, Jeff King wrote: This pattern gets repeated in several places. Now that http_passwordless_auth is a global, can we handle it automatically for the callers, as below (which, aside from compiling, is completely untested by me)? This looks good (although I haven't tested it). Note that this is in a slightly different boat than credential_fill. Ideally we would also handle picking up credentials on behalf of the callers of get_curl_handle/handle_curl_result. But that may involve significant work and/or prompting the user, which we _must_ avoid if we do not know if we are going to retry the request (and only the caller knows that for sure). However, in the case of http_passwordless_auth, we are just setting a flag, so it's OK to do it preemptively. Right. We already prompt the user for a username and password in that case, so we already have the credentials that we need. diff --git a/http.c b/http.c index 040f362..2bbcdf1 100644 --- a/http.c +++ b/http.c @@ -62,6 +62,8 @@ static const char *user_agent; static struct credential cert_auth = CREDENTIAL_INIT; static int ssl_cert_password_required; +/* Should we allow non-password-based authentication (e.g. GSSAPI)? */ +static int http_passwordless_auth = 1; static struct curl_slist *pragma_header; static struct curl_slist *no_pragma_header; @@ -318,7 +320,12 @@ static CURL *get_curl_handle(void) curl_easy_setopt(result, CURLOPT_NETRC, CURL_NETRC_OPTIONAL); #endif #ifdef LIBCURL_CAN_HANDLE_AUTH_ANY - curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY); + { + int flags = CURLAUTH_ANY; I think this needs to be unsigned long or it can cause undefined behavior, since libcurl uses unsigned long in the flags. I'll fix that up when I reroll. I'll need your sign-off since it will essentially be your work. + if (!http_passwordless_auth) + flags = ~CURLAUTH_GSSNEGOTIATE; + curl_easy_setopt(result, CURLOPT_HTTPAUTH, flags); + } #endif if (http_proactive_auth) @@ -870,6 +877,7 @@ int handle_curl_result(struct slot_results *results) credential_reject(http_auth); return HTTP_NOAUTH; } else { + http_passwordless_auth = 0; return HTTP_REAUTH; } } else { Note that you could probably drop http_passwordless_auth completely, and just keep a: static int http_auth_methods = CURLAUTH_ANY; and then drop CURLAUTH_GSSNEGOTIATE from it instead of setting the passwordless_auth flag to 0 (again, it happens in one place, so I don't know that it needs an extra layer of abstraction). This does seem to handle both cases well. It also has the pleasant side effect of being static. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Re: [PATCH v2] remote-curl: fall back to Basic auth if Negotiate fails
On Sat, Jan 03, 2015 at 05:45:09PM +, brian m. carlson wrote: +{ +int flags = CURLAUTH_ANY; I think this needs to be unsigned long or it can cause undefined behavior, since libcurl uses unsigned long in the flags. I'll fix that up when I reroll. I'll need your sign-off since it will essentially be your work. I think curl typically uses signed long for flags, but certainly check the docs to be sure. I was thinking it would be integer-promoted in this case, but I'm not sure that works always (certainly it does not if CURLAUTH_ANY needs high bits, but depending on how curl_easy_setopt is implemented, it may also be implicitly cast as a pointer or something). And certainly you can have my signoff: Signed-off-by: Jeff King p...@peff.net -Peff -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2] remote-curl: fall back to Basic auth if Negotiate fails
Apache servers using mod_auth_kerb can be configured to allow the user to authenticate either using Negotiate (using the Kerberos ticket) or Basic authentication (using the Kerberos password). Often, one will want to use Negotiate authentication if it is available, but fall back to Basic authentication if the ticket is missing or expired. However, libcurl will try very hard to use something other than Basic auth, even over HTTPS. If Basic and something else are offered, libcurl will never attempt to use Basic, even if the other option fails. Teach the HTTP client code to stop trying authentication mechanisms that don't use a password (currently Negotiate) after the first failure, since if they failed the first time, they will never succeed. Signed-off-by: brian m. carlson sand...@crustytoothpaste.net --- http.c| 16 http.h| 3 +++ remote-curl.c | 11 ++- 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/http.c b/http.c index 040f362..815194d 100644 --- a/http.c +++ b/http.c @@ -62,6 +62,8 @@ static const char *user_agent; static struct credential cert_auth = CREDENTIAL_INIT; static int ssl_cert_password_required; +/* Should we allow non-password-based authentication (e.g. GSSAPI)? */ +int http_passwordless_auth = 1; static struct curl_slist *pragma_header; static struct curl_slist *no_pragma_header; @@ -986,6 +988,16 @@ static void extract_content_type(struct strbuf *raw, struct strbuf *type, strbuf_addstr(charset, ISO-8859-1); } +void disable_passwordless_auth(struct active_request_slot *slot) +{ +#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY +#define HTTP_AUTH_PASSWORDLESS (CURLAUTH_GSSNEGOTIATE) + curl_easy_setopt(slot-curl, CURLOPT_HTTPAUTH, +CURLAUTH_ANY ~HTTP_AUTH_PASSWORDLESS); +#endif +} + + /* http_request() targets */ #define HTTP_REQUEST_STRBUF0 #define HTTP_REQUEST_FILE 1 @@ -1035,6 +1047,9 @@ static int http_request(const char *url, curl_easy_setopt(slot-curl, CURLOPT_HTTPHEADER, headers); curl_easy_setopt(slot-curl, CURLOPT_ENCODING, gzip); + if (!http_passwordless_auth) + disable_passwordless_auth(slot); + ret = run_one_slot(slot, results); if (options options-content_type) { @@ -1139,6 +1154,7 @@ static int http_request_reauth(const char *url, } credential_fill(http_auth); + http_passwordless_auth = 0; return http_request(url, result, target, options); } diff --git a/http.h b/http.h index 473179b..71943d3 100644 --- a/http.h +++ b/http.h @@ -98,6 +98,8 @@ extern int handle_curl_result(struct slot_results *results); int run_one_slot(struct active_request_slot *slot, struct slot_results *results); +void disable_passwordless_auth(struct active_request_slot *slot); + #ifdef USE_CURL_MULTI extern void fill_active_slots(void); extern void add_fill_function(void *data, int (*fill)(void *)); @@ -112,6 +114,7 @@ extern int active_requests; extern int http_is_verbose; extern size_t http_post_buffer; extern struct credential http_auth; +extern int http_passwordless_auth; extern char curl_errorstr[CURL_ERROR_SIZE]; diff --git a/remote-curl.c b/remote-curl.c index dd63bc2..4ca5447 100644 --- a/remote-curl.c +++ b/remote-curl.c @@ -467,6 +467,9 @@ static int probe_rpc(struct rpc_state *rpc, struct slot_results *results) curl_easy_setopt(slot-curl, CURLOPT_WRITEFUNCTION, fwrite_buffer); curl_easy_setopt(slot-curl, CURLOPT_FILE, buf); + if (!http_passwordless_auth) + disable_passwordless_auth(slot); + err = run_slot(slot, results); curl_slist_free_all(headers); @@ -510,8 +513,10 @@ static int post_rpc(struct rpc_state *rpc) do { err = probe_rpc(rpc, results); - if (err == HTTP_REAUTH) + if (err == HTTP_REAUTH) { credential_fill(http_auth); + http_passwordless_auth = 0; + } } while (err == HTTP_REAUTH); if (err != HTTP_OK) return -1; @@ -533,6 +538,9 @@ retry: curl_easy_setopt(slot-curl, CURLOPT_URL, rpc-service_url); curl_easy_setopt(slot-curl, CURLOPT_ENCODING, gzip); + if (!http_passwordless_auth) + disable_passwordless_auth(slot); + if (large_request) { /* The request body is large and the size cannot be predicted. * We must use chunked encoding to send it. @@ -617,6 +625,7 @@ retry: err = run_slot(slot, NULL); if (err == HTTP_REAUTH !large_request) { credential_fill(http_auth); + http_passwordless_auth = 0; goto retry; } if (err != HTTP_OK) -- 2.2.1.209.g41e5f3a -- To unsubscribe from this list: send the line unsubscribe git in