From: Junio C Hamano <gitster@pobox•com>
To: "brian m. carlson" <sandals@crustytoothpaste•net>
Cc: Dmitry Vilkov <dmitry.a.vilkov@gmail•com>, git@vger•kernel.org
Subject: Re: [PATCH] remote-curl: don't fall back to Basic auth if we haven't tried Negotiate
Date: Fri, 05 Feb 2016 13:02:58 -0800 [thread overview]
Message-ID: <xmqqa8nedg59.fsf@gitster.mtv.corp.google.com> (raw)
In-Reply-To: <20160205204648.GA7403@vauxhall.crustytoothpaste.net> (brian m. carlson's message of "Fri, 5 Feb 2016 20:46:48 +0000")
"brian m. carlson" <sandals@crustytoothpaste•net> writes:
> On Fri, Feb 05, 2016 at 12:18:22PM +0300, Dmitry Vilkov wrote:
>> You are right, we are using a bare URL (without a username component).
>> With username encoded in URL everything works just fine. But it's
>> generally wrong to pass creds in URL (in my opinion) and security
>> policy of my employer prohibits doing such thing.
>> Anyway, as you said libcurl needs valid (not NULL) username/password
>> to do GSS-Negotiate, so there is nothing wrong if I set empty
>> username/password combination when git prompts for creds. Even more,
>> there is no other way to let libcurl to use GSS-Negotiate without
>> username in URL.
>
> You can literally do https://:@git.crustytoothpaste.net/git/repo.git as
> the URL, and that will work. GSS-Negotiate using Kerberos passes the
> ticket, which contains the principal name in it, so an actual username
> and password is not needed at all. libcurl just needs something to tell
> it to do authentication.
Hmph, so documenting that <emptyname>:<emptypassword>@<repository>
as a supported way might be an ugly-looking solution to the original
problem. A less ugly-looking solution might be a boolean that can
be set per URL (we already have urlmatch-config infrastructure to
help us do so) to tell us to pass the empty credential to lubCurl,
bypassing the step to ask the user for password that we do not use.
The end-result of either of these solution would strictly be better
than the patch we discussed in that the end user will not have to
interact with the prompt at all, right?
next prev parent reply other threads:[~2016-02-05 21:03 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-02 9:11 [PATCH] remote-curl: don't fall back to Basic auth if we haven't tried Negotiate Dmitry Vilkov
2016-02-02 20:37 ` Junio C Hamano
2016-02-02 23:29 ` brian m. carlson
2016-02-05 9:18 ` Dmitry Vilkov
2016-02-05 17:54 ` Junio C Hamano
2016-02-05 20:58 ` brian m. carlson
2016-02-06 17:53 ` Daniel Stenberg
2016-02-05 20:46 ` brian m. carlson
2016-02-05 21:02 ` Junio C Hamano [this message]
2016-02-05 21:06 ` brian m. carlson
2016-02-05 21:52 ` Junio C Hamano
2016-02-08 9:11 ` Dmitry Vilkov
2016-02-15 18:44 ` [PATCH] http: add option to try authentication without username brian m. carlson
2016-02-15 20:19 ` Eric Sunshine
2016-02-15 20:29 ` brian m. carlson
2016-02-15 20:34 ` Jeff King
2016-02-15 20:36 ` brian m. carlson
2016-02-15 21:39 ` Junio C Hamano
2016-02-15 21:41 ` brian m. carlson
2016-02-15 21:46 ` Eric Sunshine
2016-02-15 21:51 ` brian m. carlson
2016-02-20 14:35 ` [PATCH] remote-curl: don't fall back to Basic auth if we haven't tried Negotiate Dmitry Vilkov
2016-02-20 15:23 ` brian m. carlson
2016-02-20 21:38 ` Junio C Hamano
2016-02-25 16:54 ` Dmitry Vilkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqa8nedg59.fsf@gitster.mtv.corp.google.com \
--to=gitster@pobox$(echo .)com \
--cc=dmitry.a.vilkov@gmail$(echo .)com \
--cc=git@vger$(echo .)kernel.org \
--cc=sandals@crustytoothpaste$(echo .)net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox