From: Jeff King <peff@peff.net>
To: Iain Paton <ipaton0@gmail.com>
Cc: git@vger.kernel.org
Subject: Re: git no longer prompting for password
Date: Sat, 25 Aug 2012 16:39:05 -0400 [thread overview]
Message-ID: <20120825203904.GA10470@sigill.intra.peff.net> (raw)
In-Reply-To: <5038E781.1090008@gmail.com>
On Sat, Aug 25, 2012 at 03:56:01PM +0100, Iain Paton wrote:
> > It's like the initial http requests do not get a 401, and the push
> > proceeds, and then some later request causes a 401 when we do not expect
> > it. Which is doubly odd, since we should also be able to handle that
> > case (the first 401 we get should cause us to ask for a password).
>
> Yes, I deliberately have it set for anonymous pull and authenticated push.
> So the initial contact with the server doesn't ask for auth.
OK, I see what's going on. It looks like it is configured to do so by
rejecting the POST request. So this first request works:
> > GET /git/test.git/info/refs?service=git-receive-pack HTTP/1.1
> User-Agent: git/1.7.8
> Host: 10.44.16.74
> Accept: */*
> Pragma: no-cache
>
> < HTTP/1.1 200 OK
which is the first step of the conversation, in which the client gets
the set of refs from the remote. Then it tries to POST the pack:
> > POST /git/test.git/git-receive-pack HTTP/1.1
> User-Agent: git/1.7.8
> Host: 10.44.16.74
> Accept-Encoding: deflate, gzip
> Content-Type: application/x-git-receive-pack-request
> Accept: application/x-git-receive-pack-result
> Content-Length: 412
>
> * upload completely sent off: 412 out of 412 bytes
> < HTTP/1.1 401 Unauthorized
And we get blocked on that request. I didn't quote it above, but note
how the client actually generates and sends the full pack before being
told "no, you can't do this".
So that explains the output you see; we really are generating and
sending the pack, and only then getting a 401. And it also explains why
git does not prompt and retry; we follow a different code path for POSTs
that does not trigger the retry code.
This is not optimal, as we send the pack data only to find out that we
are not authenticated. There is code to avoid sending the _whole_ pack
(it's the probe_rpc code in remote-curl.c), so I think you'd just be
wasting 64K, which is not too bad. So we could teach git to retry if the
POST fails, and I think it would work OK.
But I don't think there is any reason not to block the push request
right from the first receive-pack request we see, which catches the
issue even earlier, and with less overhead (and of course works with
existing git clients :) ).
> apache config has the following:
> [...]
> <LocationMatch "^/git/.*/git-receive-pack$">
> AuthType Basic
> AuthUserFile /data/git/htpasswd
> AuthGroupfile /data/git/groups
> AuthName "Git Access"
>
> Require group committers
> </LocationMatch>
>
> nothing untoward there I think and google turns up lots of examples where
> people are doing essentially the same thing.
I think your regex is the culprit. The first request comes in with:
> > GET /git/test.git/info/refs?service=git-receive-pack HTTP/1.1
The odd URL is because we are probing to see if the server even supports
smart-http. But note that it does not match your regex above, which
requires "/git-receive-pack". It looks like that is pulled straight from
the git-http-backend manpage. I think the change in v1.7.8 broke people
using that configuration.
I tend to think the right thing is to fix the configuration (both on
your system and in the documentation), but we should probably also fix
git to handle this situation more gracefully, since it used to work and
has been advertised in the documentation for a long time.
-Peff
next prev parent reply other threads:[~2012-08-25 20:39 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-24 20:19 git no longer prompting for password Iain Paton
2012-08-24 21:25 ` Jeff King
[not found] ` <5038E781.1090008@gmail.com>
2012-08-25 20:39 ` Jeff King [this message]
2012-08-26 9:57 ` Iain Paton
2012-08-26 10:13 ` Jeff King
2012-08-26 14:18 ` Iain Paton
2012-08-27 13:21 ` [PATCH 0/8] fix password prompting for "half-auth" servers Jeff King
2012-08-27 13:23 ` [PATCH 1/8] t5550: put auth-required repo in auth/dumb Jeff King
2012-08-27 13:24 ` [PATCH 2/8] t5550: factor out http auth setup Jeff King
2012-08-27 13:24 ` [PATCH 3/8] t/lib-httpd: only route auth/dumb to dumb repos Jeff King
2012-08-27 13:25 ` [PATCH 4/8] t/lib-httpd: recognize */smart/* repos as smart-http Jeff King
2012-08-27 13:25 ` [PATCH 5/8] t: test basic smart-http authentication Jeff King
2012-08-27 13:25 ` [PATCH 6/8] t: test http access to "half-auth" repositories Jeff King
2012-08-27 13:26 ` [PATCH 7/8] http: factor out http error code handling Jeff King
2012-08-28 18:06 ` Junio C Hamano
2012-08-27 13:27 ` [PATCH 8/8] http: prompt for credentials on failed POST Jeff King
2012-08-27 17:48 ` Junio C Hamano
2012-08-27 21:49 ` Jeff King
2012-08-27 23:29 ` Junio C Hamano
2012-08-27 17:14 ` [PATCH 0/8] fix password prompting for "half-auth" servers Junio C Hamano
2012-08-27 8:28 ` git no longer prompting for password Iain Paton
2012-08-27 13:33 ` BJ Hargrave
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120825203904.GA10470@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=ipaton0@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).