From: "Matthew John Cheetham via GitGitGadget" <gitgitgadget@gmail.com>
To: git@vger.kernel.org
Cc: gitster@pobox.com, johannes.schindelin@gmx.de,
Matthew John Cheetham <mjcheetham@outlook.com>
Subject: [PATCH 0/3] http: fix emptyAuth=auto for Negotiate/SPNEGO
Date: Thu, 16 Apr 2026 09:20:56 +0000 [thread overview]
Message-ID: <pull.2087.git.1776331259.gitgitgadget@gmail.com> (raw)
When a server advertises Negotiate (SPNEGO) authentication alongside Basic,
the "auto" mode of http.emptyAuth should allow libcurl to attempt Kerberos
authentication using the system ticket cache before falling back to
credential_fill(). Currently this never happens due to an interaction
between two older features.
The Negotiate-stripping logic from 4dbe66464b (remote-curl: fall back to
Basic auth if Negotiate fails, 2015-01-08) removes CURLAUTH_GSSNEGOTIATE on
the first 401, before the auto-detection from 40a18fc77c (http: add an
"auto" mode for http.emptyauth, 2017-02-25) gets a chance to see it as an
"exotic" method. The result is that auto mode silently degrades to the same
behavior as emptyAuth=false for any server whose only non-Basic/Digest
method is Negotiate, forcing Kerberos users to manually set
http.emptyAuth=true to get seamless ticket-based authentication.
This series fixes the interaction by delaying the Negotiate stripping in
auto mode by one round-trip, giving empty auth a chance to use the system
Kerberos ticket. If there is no valid ticket, Negotiate is stripped on the
second 401 and we fall through to credential_fill() as before. The true and
false modes are unchanged.
Patch 1: Extract a http_reauth_prepare() helper from the three retry paths
that call credential_fill() on HTTP_REAUTH. Pure refactor, no behavior
change.
Patch 2: Delay the GSSNEGOTIATE stripping in auto mode and teach
http_reauth_prepare() to skip credential_fill() when empty auth should be
attempted first.
Patch 3: Add tests verifying that auto mode produces an extra round-trip
(empty auth attempt) compared to false mode, using the existing
nph-custom-auth.sh CGI infrastructure.
There is a trade-off in auto mode: when a server advertises Negotiate but
the client has no valid Kerberos ticket, there is one extra round-trip
compared to the current behavior. This matches the trade-off already
documented in 40a18fc77c. Users who want to avoid it can set
http.emptyAuth=false.
Note: this patch series was taken early into Git for Windows for the
2.54.0-rc2 release.
https://github.com/git-for-windows/git/commit/8e94b65c003783d7d7b09d9fccdf06a1363e347c
Matthew John Cheetham (3):
http: extract http_reauth_prepare() from retry paths
http: attempt Negotiate auth in http.emptyAuth=auto mode
t5563: add tests for http.emptyAuth with Negotiate
http.c | 32 +++++++++++++++-
http.h | 6 +++
remote-curl.c | 4 +-
t/t5563-simple-http-auth.sh | 74 +++++++++++++++++++++++++++++++++++++
4 files changed, 112 insertions(+), 4 deletions(-)
base-commit: 2b39a27d40682c09ac1c031f099ee602061597cd
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-2087%2Fmjcheetham%2Fspnego-fix-upstream-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-2087/mjcheetham/spnego-fix-upstream-v1
Pull-Request: https://github.com/gitgitgadget/git/pull/2087
--
gitgitgadget
next reply other threads:[~2026-04-16 9:21 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-16 9:20 Matthew John Cheetham via GitGitGadget [this message]
2026-04-16 9:20 ` [PATCH 1/3] http: extract http_reauth_prepare() from retry paths Matthew John Cheetham via GitGitGadget
2026-04-16 16:21 ` Junio C Hamano
2026-04-16 9:20 ` [PATCH 2/3] http: attempt Negotiate auth in http.emptyAuth=auto mode Matthew John Cheetham via GitGitGadget
2026-04-16 16:40 ` Junio C Hamano
2026-04-28 14:38 ` Matthew John Cheetham
[not found] ` <xmqqse8dz4pi.fsf@gitster.g>
2026-04-30 10:53 ` Matthew John Cheetham
2026-04-16 9:20 ` [PATCH 3/3] t5563: add tests for http.emptyAuth with Negotiate Matthew John Cheetham via GitGitGadget
2026-04-30 10:54 ` [PATCH v2 0/4] http: fix emptyAuth=auto for Negotiate/SPNEGO Matthew John Cheetham via GitGitGadget
2026-04-30 10:54 ` [PATCH v2 1/4] http: extract http_reauth_prepare() from retry paths Matthew John Cheetham via GitGitGadget
2026-04-30 10:54 ` [PATCH v2 2/4] http: attempt Negotiate auth in http.emptyAuth=auto mode Matthew John Cheetham via GitGitGadget
2026-04-30 10:54 ` [PATCH v2 3/4] t5563: add tests for http.emptyAuth with Negotiate Matthew John Cheetham via GitGitGadget
2026-04-30 10:54 ` [PATCH v2 4/4] doc: clarify http.emptyAuth values Matthew John Cheetham via GitGitGadget
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=pull.2087.git.1776331259.gitgitgadget@gmail.com \
--to=gitgitgadget@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=johannes.schindelin@gmx.de \
--cc=mjcheetham@outlook.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.