git/webdav is refusing to authenticate properly.

git/webdav is refusing to authenticate properly.

[Peter Spierenburg]

Greetings,

I'm trying to push a local git repository to a remote site using
WebDAV, but it is eating my lunch.

My first attempt includes a username but no password in the url:

$ git-config remote.upload.url
http://peter@spierepf.dyndns.org/git/ToastMeister.git/
$ git push upload master
Fetching remote heads...
  refs/
  refs/tags/
  refs/heads/
updating 'refs/heads/master'
  from 0000000000000000000000000000000000000000
  to   0f5f3df5e289b5696d7319dcfabc2383192f306a
Unable to create branch path
http://peter@spierepf.dyndns.org/git/ToastMeister.git/refs
Unable to lock remote branch refs/heads/master
error: failed to push some refs to
'http://peter@spierepf.dyndns.org/git/ToastMeister.git/'

What surprises me here is that git never asks for a password, so
naturally, my apache webserver will refuse the request:

==> /var/log/apache2/access.log <==
208.38.1.1 - - [12/Jan/2009:11:52:07 -0700] "PROPFIND
/git/ToastMeister.git/ HTTP/1.1" 207 569 "-" "git/1.5.6.3"
208.38.1.1 - - [12/Jan/2009:11:52:08 -0700] "HEAD
/git/ToastMeister.git/info/refs HTTP/1.1" 404 - "-" "git/1.5.6.3"
208.38.1.1 - - [12/Jan/2009:11:52:08 -0700] "HEAD
/git/ToastMeister.git/objects/info/packs HTTP/1.1" 404 - "-"
"git/1.5.6.3"

==> /var/log/apache2/error.log <==
[Mon Jan 12 11:52:08 2009] [error] [client 208.38.1.1] File does not
exist: /var/www/git/ToastMeister.git/info/refs
[Mon Jan 12 11:52:08 2009] [error] [client 208.38.1.1] File does not
exist: /var/www/git/ToastMeister.git/objects/info/packs

==> /var/log/apache2/access.log <==
208.38.1.1 - - [12/Jan/2009:11:52:08 -0700] "PROPFIND
/git/ToastMeister.git/refs/ HTTP/1.1" 207 2587 "-" "git/1.5.6.3"
208.38.1.1 - - [12/Jan/2009:11:52:08 -0700] "PROPFIND
/git/ToastMeister.git/refs/tags/ HTTP/1.1" 207 933 "-" "git/1.5.6.3"
208.38.1.1 - - [12/Jan/2009:11:52:08 -0700] "PROPFIND
/git/ToastMeister.git/refs/heads/ HTTP/1.1" 207 934 "-" "git/1.5.6.3"
208.38.1.1 - peter [12/Jan/2009:11:52:08 -0700] "MKCOL
/git/ToastMeister.git/refs HTTP/1.1" 401 598 "-" "git/1.5.6.3"

==> /var/log/apache2/error.log <==
[Mon Jan 12 11:52:08 2009] [warn] [client 208.38.1.1] [12697]
auth_ldap authenticate: user peter authentication failed; URI
/git/ToastMeister.git/refs [Empty password not allowed][Invalid
credentials]
[Mon Jan 12 11:52:08 2009] [error] [client 208.38.1.1] user peter:
authentication failure for "/git/ToastMeister.git/refs": Password
Mismatch

So next, I'll try adding a password to the URL:

$ git-config remote.upload.url
http://peter:<secret>@spierepf.dyndns.org/git/ToastMeister.git/
$ git push upload master
Fetching remote heads...
  refs/
  refs/tags/
  refs/heads/
updating 'refs/heads/master'
  from 0000000000000000000000000000000000000000
  to   0f5f3df5e289b5696d7319dcfabc2383192f306a
Unable to create branch path
http://peter:<secret>@spierepf.dyndns.org/git/ToastMeister.git/refs
Unable to lock remote branch refs/heads/master
error: failed to push some refs to
'http://peter:<secret>@spierepf.dyndns.org/git/ToastMeister.git/'

>From the client side, the result appears identical, but on the server:

==> /var/log/apache2/access.log <==
208.38.1.1 - - [12/Jan/2009:11:52:50 -0700] "PROPFIND
/git/ToastMeister.git/ HTTP/1.1" 207 581 "-" "git/1.5.6.3"
208.38.1.1 - - [12/Jan/2009:11:52:50 -0700] "HEAD
/git/ToastMeister.git/info/refs HTTP/1.1" 404 - "-" "git/1.5.6.3"
208.38.1.1 - - [12/Jan/2009:11:52:51 -0700] "HEAD
/git/ToastMeister.git/objects/info/packs HTTP/1.1" 404 - "-"
"git/1.5.6.3"

==> /var/log/apache2/error.log <==
[Mon Jan 12 11:52:50 2009] [error] [client 208.38.1.1] File does not
exist: /var/www/git/ToastMeister.git/info/refs
[Mon Jan 12 11:52:51 2009] [error] [client 208.38.1.1] File does not
exist: /var/www/git/ToastMeister.git/objects/info/packs

==> /var/log/apache2/access.log <==
208.38.1.1 - - [12/Jan/2009:11:52:51 -0700] "PROPFIND
/git/ToastMeister.git/refs/ HTTP/1.1" 207 2587 "-" "git/1.5.6.3"
208.38.1.1 - - [12/Jan/2009:11:52:51 -0700] "PROPFIND
/git/ToastMeister.git/refs/tags/ HTTP/1.1" 207 933 "-" "git/1.5.6.3"
208.38.1.1 - - [12/Jan/2009:11:52:51 -0700] "PROPFIND
/git/ToastMeister.git/refs/heads/ HTTP/1.1" 207 934 "-" "git/1.5.6.3"
208.38.1.1 - peter [12/Jan/2009:11:52:51 -0700] "MKCOL
/git/ToastMeister.git/refs HTTP/1.1" 301 458 "-" "git/1.5.6.3"
208.38.1.1 - - [12/Jan/2009:11:52:51 -0700] "MKCOL
/git/ToastMeister.git/refs/ HTTP/1.1" 401 598 "-" "git/1.5.6.3"

It looks like the client is attempting to create a collection that
already exists, gets redirected (301 - Moved Permanently), forgets to
authenticate on the next request, gets denied (401 - Unauthorized),
and gives up.

Any idea why this is happening?

Peter-Frank Spierenburg.

Re: git/webdav is refusing to authenticate properly.

[Johannes Schindelin]

Hi,

On Mon, 12 Jan 2009, Peter Spierenburg wrote:

> I'm trying to push a local git repository to a remote site using WebDAV, 
> but it is eating my lunch.

Please see Documentation/howto/setup-git-server-over-http.txt.

In short, http-push does not ask for a password interactively, but you 
have to use .netrc.

Hth,
Dscho

Re: git/webdav is refusing to authenticate properly.

[Peter Spierenburg]

C'mon, leave my password 'in-the-clear', in a text file on a networked 
box? That is the kind of prank a fourth-year student would try to pull 
on a freshman.

How do I really do it?

Peter.


Johannes Schindelin wrote:
> Hi,
>
> On Mon, 12 Jan 2009, Peter Spierenburg wrote:
>
>   
>> I'm trying to push a local git repository to a remote site using WebDAV, 
>> but it is eating my lunch.
>>     
>
> Please see Documentation/howto/setup-git-server-over-http.txt.
>
> In short, http-push does not ask for a password interactively, but you 
> have to use .netrc.
>
> Hth,
> Dscho
>
>   

Re: git/webdav is refusing to authenticate properly.

[Boyd Stephen Smith Jr.]

[-- Attachment #1: Type: text/plain, Size: 911 bytes --]

On Monday 12 January 2009, Peter Spierenburg 
<ionlyusethisaddressforlists@gmail.com> wrote about 'Re: git/webdav is 
refusing to authenticate properly.':
>C'mon, leave my password 'in-the-clear', in a text file on a networked
>box? That is the kind of prank a fourth-year student would try to pull
>on a freshman.
>
>How do I really do it?

AFAIK, that's the only way for now.

Personally, I'd welcome a patch that allowed fetch/push to prompt the user 
for a password, but I'm not holding my breath.  If I want to limit access 
to a few users, I serve that repository over ssh and depend on ssh for 
authentication and filesystem permissions for authorization.
-- 
Boyd Stephen Smith Jr.                     ,= ,-_-. =. 
bss@iguanasuicide.net                     ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy           `-'(. .)`-' 
http://iguanasuicide.net/                      \_/     

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: git/webdav is refusing to authenticate properly.

[Johannes Schindelin]

Hi,

On Mon, 12 Jan 2009, Boyd Stephen Smith Jr. wrote:

> On Monday 12 January 2009, Peter Spierenburg 
> <ionlyusethisaddressforlists@gmail.com> wrote
>
> >C'mon, leave my password 'in-the-clear', in a text file on a networked 
> >box? That is the kind of prank a fourth-year student would try to pull 
> >on a freshman.
> >
> >How do I really do it?
> 
> AFAIK, that's the only way for now.

Indeed it is.

> Personally, I'd welcome a patch that allowed fetch/push to prompt the 
> user for a password, but I'm not holding my breath.

I guess everybody who wants that feature does exactly the same as you.

Oh, and FWIW: trying to ridicule the way Git does it completely misses the 
fact that you are using such a ridiculously weak authentication scheme 
anyway that you could just as well open the window and shout your password 
out loud.

Ciao,
Dscho

P.S.: real security would require you to have public/private key based 
client authentication.  But that would leave you vulnerable, too, as you 
are apparently not on a trustable machine.

P.P.S.: I have access to such a machine, too, but I never push _from_ 
there.  That is relatively safe, as only those can access my private keys 
(and my $HOME/.netrc, BTW, as you seemed to have missed .netrc's 0600 
mode) can impersonate me without hassle using sudo anyway.

Re: git/webdav is refusing to authenticate properly.

[Boyd Stephen Smith Jr.]

[-- Attachment #1: Type: text/plain, Size: 1224 bytes --]

On Tuesday 13 January 2009, Johannes Schindelin 
<Johannes.Schindelin@gmx.de> wrote about 'Re: git/webdav is refusing to 
authenticate properly.':
>Oh, and FWIW: trying to ridicule the way Git does it completely misses
> the fact that you are using such a ridiculously weak authentication
> scheme anyway that you could just as well open the window and shout your
> password out loud.

Using DIGEST auth would help, although it is still quite vulnerable, but I 
couldn't convince git to use that either.

I'm pretty sure even PLAIN auth is acceptable (security-wise) if used over 
SSL/TLS.  It would be really nice for contributors behind oppressive firewalls 
if they could push via https and not have their passwords exposed to the 
local BOFH.  (Who else sets up an oppressive firewall?)

SVN supported it.  It would be nice to add it to the list of git features.  
Still, it's just not important enough to me right now to make the time to 
throw together a PATCH/RFC.
-- 
Boyd Stephen Smith Jr.                     ,= ,-_-. =. 
bss@iguanasuicide.net                     ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy           `-'(. .)`-' 
http://iguanasuicide.net/                      \_/     

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]