Re: git-core: please support GSS-Negotiate authentication for http

Re: git-core: please support GSS-Negotiate authentication for http

[Jonathan Nieder]

[-- Attachment #1: Type: text/plain, Size: 260 bytes --]

Hi transport experts,

This report came in a couple of months ago; I was thinking of trying
to reproduce it, but that was silly, since it is way over my head.  It
seems that some HTTP authentication scheme is not working well in some
circumstance. ;-)

Ideas?

[-- Attachment #2: Type: message/rfc822, Size: 7027 bytes --]

[-- Attachment #2.1.1: Type: text/plain, Size: 3522 bytes --]

On Sun, May 16, 2010 at 06:45:33AM -0500, Jonathan Nieder wrote:
> reassign 472073 git git-core/1:1.5.4.4-1
> tags 472073 + upstream
> quit
> 
> Hi Brian,
> 
> brian m. carlson wrote:
> 
> > My webserver supports Kerberos 5 and DAV, but for the obvious
> > reason, DAV is only allowed with Kerberos (GSS-Negotiate)
> > authentication.  It would be nice if I could use GSS-Negotiate with
> > git, since it is supported by libcurl.
> 
> I do not know how to check this, but could you try with version 1.7.0
> or 1.7.1?  The patch v1.7.0-rc0~108^2~2 (Add an option for using any
> HTTP authentication scheme, not only basic, 2009-11-27[1]) and its
> companion patch v1.7.0-rc0~108^2 (Remove http.authAny[2]) seem
> relevant.

It doesn't seem to work for me:

  lakeview no % git push http://bmc@castro.crustytoothpaste.net/dump/css.git master
  Password: 
  Password: 
  error: The requested URL returned error: 401 while accessing http://bmc@castro.crustytoothpaste.net/dump/css.git/info/refs
  
  error: The requested URL returned error: 401 while accessing http://bmc@castro.crustytoothpaste.net/dump/css.git/objects/info/packs
  
  Unable to create branch path http://bmc@castro.crustytoothpaste.net/dump/css.git/info/
  error: cannot lock existing info/refs
  fatal: git-http-push failed

Also, here's part of the log from the web server:

  172.16.2.249 - - [28/May/2010:13:44:20 +0000] "GET /dump/css.git/info/refs?service=git-receive-pack HTTP/1.1" 401 720 "-" "git/1.7.1"
  172.16.2.249 - - [28/May/2010:13:44:20 +0000] "GET /dump/css.git/info/refs HTTP/1.1" 401 720 "-" "git/1.7.1"
  172.16.2.249 - - [28/May/2010:13:44:24 +0000] "GET /dump/css.git/info/refs?service=git-receive-pack HTTP/1.1" 401 720 "-" "git/1.7.1"
  172.16.2.249 - bmc@CRUSTYTOOTHPASTE.NET [28/May/2010:13:44:24 +0000] "GET /dump/css.git/info/refs?service=git-receive-pack HTTP/1.1" 200 307 "-" "git/1.7.1"
  172.16.2.249 - - [28/May/2010:13:44:24 +0000] "GET /dump/css.git/HEAD HTTP/1.1" 401 720 "-" "git/1.7.1"
  172.16.2.249 - - [28/May/2010:13:44:25 +0000] "PROPFIND /dump/css.git/ HTTP/1.1" 401 720 "-" "git/1.7.1"
  172.16.2.249 - bmc@CRUSTYTOOTHPASTE.NET [28/May/2010:13:44:25 +0000] "PROPFIND /dump/css.git/ HTTP/1.1" 207 767 "-" "git/1.7.1"
  172.16.2.249 - - [28/May/2010:13:44:25 +0000] "HEAD /dump/css.git/info/refs HTTP/1.1" 401 205 "-" "git/1.7.1"
  172.16.2.249 - - [28/May/2010:13:44:25 +0000] "HEAD /dump/css.git/objects/info/packs HTTP/1.1" 401 205 "-" "git/1.7.1"
  172.16.2.249 - - [28/May/2010:13:44:25 +0000] "MKCOL /dump/css.git/info/ HTTP/1.1" 401 720 "-" "git/1.7.1"

Notice that only for certain requests does git use authentication.  It
needs to use authentication for every request, since access to /dump/ is
only allowed to valid users using Kerberos (for all requests).

Also note that git prompts for a password when one is not needed; this
is probably part of the curl bug noted in the manpage:

  When using this option, you must also provide a fake -u/--user option
  to activate the authentication code properly. Sending a '-u :' is
  enough as the user name and password from the -u option aren't
  actually used.

Using "bmc:@" instead of "bmc@" in the URI makes no difference.  If you
need me to do more testing, please let me know.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

[-- Attachment #2.1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]