Debian Bug report logs - #472073
git-core: please support GSS-Negotiate authentication for http

version graph

Package: libcurl3-gnutls; Maintainer for libcurl3-gnutls is Alessandro Ghedini <ghedo@debian.org>; Source for libcurl3-gnutls is src:curl.

Reported by: "brian m. carlson" <sandals@crustytoothpaste.net>

Date: Fri, 21 Mar 2008 21:39:02 UTC

Severity: normal

Tags: upstream

Found in version curl/7.18.0-1

Fixed in version 7.25.0-1

Done: Jonathan Nieder <jrnieder@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#472073; Package git-core. Full text and rfc822 format available.

Acknowledgement sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
New Bug report received and forwarded. Copy sent to Gerrit Pape <pape@smarden.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: git-core: please support GSS-Negotiate authentication for http
Date: Fri, 21 Mar 2008 21:38:04 +0000
[Message part 1 (text/plain, inline)]
Package: git-core
Version: 1:1.5.4.4-1
Severity: wishlist

My webserver supports Kerberos 5 and DAV, but for the obvious reason, 
DAV is only allowed with Kerberos (GSS-Negotiate) authentication.  It 
would be nice if I could use GSS-Negotiate with git, since it is 
supported by libcurl.

Note that I have attempted to implement this, but failed, so that's why 
I'm not including a patch.  I may try again soon, though.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.25-rc6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages git-core depends on:
ii  cpio                   2.9-11            GNU cpio -- a program to manage ar
ii  libc6                  2.7-9             GNU C Library: Shared libraries
ii  libcurl3-gnutls        7.18.0-1          Multi-protocol file transfer libra
ii  libdigest-sha1-perl    2.11-2            NIST SHA-1 message digest algorith
ii  liberror-perl          0.17-1            Perl module for error/exception ha
ii  libexpat1              1.95.8-4          XML parsing C library - runtime li
ii  perl-modules           5.8.8-12          Core Perl modules
ii  zlib1g                 1:1.2.3.3.dfsg-11 compression library - runtime

Versions of packages git-core recommends:
ii  curl                          7.18.0-1   Get a file from an HTTP, HTTPS or 
ii  less                          418-1      Pager program similar to more
ii  openssh-client [ssh-client]   1:4.7p1-4  secure shell client, an rlogin/rsh
ii  patch                         2.5.9-4    Apply a diff file to an original
ii  rsync                         3.0.0-2    fast remote file copy program (lik

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#472073; Package git-core. (Sun, 16 May 2010 11:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Nieder <jrnieder@gmail.com>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Sun, 16 May 2010 11:48:03 GMT) Full text and rfc822 format available.

Message #10 received at 472073@bugs.debian.org (full text, mbox):

From: Jonathan Nieder <jrnieder@gmail.com>
To: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
Cc: 472073@bugs.debian.org
Subject: Re: git-core: please support GSS-Negotiate authentication for http
Date: Sun, 16 May 2010 06:45:33 -0500
reassign 472073 git git-core/1:1.5.4.4-1
tags 472073 + upstream
quit

Hi Brian,

brian m. carlson wrote:

> My webserver supports Kerberos 5 and DAV, but for the obvious
> reason, DAV is only allowed with Kerberos (GSS-Negotiate)
> authentication.  It would be nice if I could use GSS-Negotiate with
> git, since it is supported by libcurl.

I do not know how to check this, but could you try with version 1.7.0
or 1.7.1?  The patch v1.7.0-rc0~108^2~2 (Add an option for using any
HTTP authentication scheme, not only basic, 2009-11-27[1]) and its
companion patch v1.7.0-rc0~108^2 (Remove http.authAny[2]) seem
relevant.

Thanks,
Jonathan

[1] http://thread.gmane.org/gmane.comp.version-control.git/129451
[2] http://thread.gmane.org/gmane.comp.version-control.git/135735/focus=135742




Bug reassigned from package 'git-core' to 'git'. Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Sun, 16 May 2010 11:48:07 GMT) Full text and rfc822 format available.

Bug No longer marked as found in versions git-core/1:1.5.4.4-1. Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Sun, 16 May 2010 11:48:07 GMT) Full text and rfc822 format available.

Bug Marked as found in versions git-core/1:1.5.4.4-1. Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Sun, 16 May 2010 11:48:07 GMT) Full text and rfc822 format available.

Added tag(s) upstream. Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Sun, 16 May 2010 11:48:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#472073; Package git. (Fri, 28 May 2010 13:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Fri, 28 May 2010 13:57:03 GMT) Full text and rfc822 format available.

Message #23 received at 472073@bugs.debian.org (full text, mbox):

From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
To: Jonathan Nieder <jrnieder@gmail.com>
Cc: 472073@bugs.debian.org
Subject: Re: git-core: please support GSS-Negotiate authentication for http
Date: Fri, 28 May 2010 13:55:52 +0000
[Message part 1 (text/plain, inline)]
On Sun, May 16, 2010 at 06:45:33AM -0500, Jonathan Nieder wrote:
> reassign 472073 git git-core/1:1.5.4.4-1
> tags 472073 + upstream
> quit
> 
> Hi Brian,
> 
> brian m. carlson wrote:
> 
> > My webserver supports Kerberos 5 and DAV, but for the obvious
> > reason, DAV is only allowed with Kerberos (GSS-Negotiate)
> > authentication.  It would be nice if I could use GSS-Negotiate with
> > git, since it is supported by libcurl.
> 
> I do not know how to check this, but could you try with version 1.7.0
> or 1.7.1?  The patch v1.7.0-rc0~108^2~2 (Add an option for using any
> HTTP authentication scheme, not only basic, 2009-11-27[1]) and its
> companion patch v1.7.0-rc0~108^2 (Remove http.authAny[2]) seem
> relevant.

It doesn't seem to work for me:

  lakeview no % git push http://bmc@castro.crustytoothpaste.net/dump/css.git master
  Password: 
  Password: 
  error: The requested URL returned error: 401 while accessing http://bmc@castro.crustytoothpaste.net/dump/css.git/info/refs
  
  error: The requested URL returned error: 401 while accessing http://bmc@castro.crustytoothpaste.net/dump/css.git/objects/info/packs
  
  Unable to create branch path http://bmc@castro.crustytoothpaste.net/dump/css.git/info/
  error: cannot lock existing info/refs
  fatal: git-http-push failed

Also, here's part of the log from the web server:

  172.16.2.249 - - [28/May/2010:13:44:20 +0000] "GET /dump/css.git/info/refs?service=git-receive-pack HTTP/1.1" 401 720 "-" "git/1.7.1"
  172.16.2.249 - - [28/May/2010:13:44:20 +0000] "GET /dump/css.git/info/refs HTTP/1.1" 401 720 "-" "git/1.7.1"
  172.16.2.249 - - [28/May/2010:13:44:24 +0000] "GET /dump/css.git/info/refs?service=git-receive-pack HTTP/1.1" 401 720 "-" "git/1.7.1"
  172.16.2.249 - bmc@CRUSTYTOOTHPASTE.NET [28/May/2010:13:44:24 +0000] "GET /dump/css.git/info/refs?service=git-receive-pack HTTP/1.1" 200 307 "-" "git/1.7.1"
  172.16.2.249 - - [28/May/2010:13:44:24 +0000] "GET /dump/css.git/HEAD HTTP/1.1" 401 720 "-" "git/1.7.1"
  172.16.2.249 - - [28/May/2010:13:44:25 +0000] "PROPFIND /dump/css.git/ HTTP/1.1" 401 720 "-" "git/1.7.1"
  172.16.2.249 - bmc@CRUSTYTOOTHPASTE.NET [28/May/2010:13:44:25 +0000] "PROPFIND /dump/css.git/ HTTP/1.1" 207 767 "-" "git/1.7.1"
  172.16.2.249 - - [28/May/2010:13:44:25 +0000] "HEAD /dump/css.git/info/refs HTTP/1.1" 401 205 "-" "git/1.7.1"
  172.16.2.249 - - [28/May/2010:13:44:25 +0000] "HEAD /dump/css.git/objects/info/packs HTTP/1.1" 401 205 "-" "git/1.7.1"
  172.16.2.249 - - [28/May/2010:13:44:25 +0000] "MKCOL /dump/css.git/info/ HTTP/1.1" 401 720 "-" "git/1.7.1"

Notice that only for certain requests does git use authentication.  It
needs to use authentication for every request, since access to /dump/ is
only allowed to valid users using Kerberos (for all requests).

Also note that git prompts for a password when one is not needed; this
is probably part of the curl bug noted in the manpage:

  When using this option, you must also provide a fake -u/--user option
  to activate the authentication code properly. Sending a '-u :' is
  enough as the user name and password from the -u option aren't
  actually used.

Using "bmc:@" instead of "bmc@" in the URI makes no difference.  If you
need me to do more testing, please let me know.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]

Severity set to 'normal' from 'wishlist' Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Mon, 27 Sep 2010 19:15:32 GMT) Full text and rfc822 format available.

Changed Bug submitter to '"brian m. carlson" <sandals@crustytoothpaste.net>' from '"brian m. carlson" <sandals@crustytoothpaste.ath.cx>' Request was from "brian m. carlson" <sandals@crustytoothpaste.net> to control@bugs.debian.org. (Thu, 03 Feb 2011 20:51:25 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#472073; Package git. (Tue, 10 Apr 2012 18:12:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to sergio <mailbox@sergio.spb.ru>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Tue, 10 Apr 2012 18:12:18 GMT) Full text and rfc822 format available.

Message #32 received at 472073@bugs.debian.org (full text, mbox):

From: sergio <mailbox@sergio.spb.ru>
To: 472073@bugs.debian.org
Subject: fixed
Date: Tue, 10 Apr 2012 21:55:31 +0400
It is curl bug and it's fixed in wheezy and sid. Please close it.

-- 
sergio.




Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#472073; Package git. (Tue, 10 Apr 2012 18:21:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Nieder <jrnieder@gmail.com>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Tue, 10 Apr 2012 18:21:02 GMT) Full text and rfc822 format available.

Message #37 received at 472073@bugs.debian.org (full text, mbox):

From: Jonathan Nieder <jrnieder@gmail.com>
To: sergio <mailbox@sergio.spb.ru>
Cc: 472073@bugs.debian.org, "brian m. carlson" <sandals@crustytoothpaste.net>
Subject: Re: git-core: please support GSS-Negotiate authentication for http
Date: Tue, 10 Apr 2012 13:16:51 -0500
Hi,

sergio wrote:

> [Subject: fixed]

Please keep in mind that these appear as emails in a crowded inbox,
so the subject line can be a good place to put valuable context.

> It is curl bug and it's fixed in wheezy and sid. Please close it.

Nice!

Brian, can you confirm?  Sergio, do you know which curl change
fixed this?  (E.g., a pointer to a changelog entry or bug report
about it would be ideal.)

Thanks for the update,
Jonathan




Information forwarded to debian-bugs-dist@lists.debian.org, Gerrit Pape <pape@smarden.org>:
Bug#472073; Package git. (Wed, 11 Apr 2012 00:42:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "brian m. carlson" <sandals@crustytoothpaste.net>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <pape@smarden.org>. (Wed, 11 Apr 2012 00:42:06 GMT) Full text and rfc822 format available.

Message #42 received at 472073@bugs.debian.org (full text, mbox):

From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: Jonathan Nieder <jrnieder@gmail.com>
Cc: sergio <mailbox@sergio.spb.ru>, 472073@bugs.debian.org
Subject: Re: git-core: please support GSS-Negotiate authentication for http
Date: Wed, 11 Apr 2012 00:38:34 +0000
[Message part 1 (text/plain, inline)]
On Tue, Apr 10, 2012 at 01:16:51PM -0500, Jonathan Nieder wrote:
> > It is curl bug and it's fixed in wheezy and sid. Please close it.
> 
> Nice!
> 
> Brian, can you confirm?  Sergio, do you know which curl change
> fixed this?  (E.g., a pointer to a changelog entry or bug report
> about it would be ideal.)

Yes, pushing to an Apache DAV server with GSS-Negotiate does work.  git
asks me for a password anyway, but that's another bug report.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package 'git' to 'libcurl3-gnutls'. Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Wed, 11 Apr 2012 01:09:06 GMT) Full text and rfc822 format available.

No longer marked as found in versions git-core/1:1.5.4.4-1. Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Wed, 11 Apr 2012 01:09:07 GMT) Full text and rfc822 format available.

Marked as found in versions curl/7.18.0-1. Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Wed, 11 Apr 2012 01:09:07 GMT) Full text and rfc822 format available.

Added indication that 472073 affects git Request was from Jonathan Nieder <jrnieder@gmail.com> to control@bugs.debian.org. (Wed, 11 Apr 2012 01:09:07 GMT) Full text and rfc822 format available.

Reply sent to Jonathan Nieder <jrnieder@gmail.com>:
You have taken responsibility. (Wed, 11 Apr 2012 01:09:10 GMT) Full text and rfc822 format available.

Notification sent to "brian m. carlson" <sandals@crustytoothpaste.net>:
Bug acknowledged by developer. (Wed, 11 Apr 2012 01:09:10 GMT) Full text and rfc822 format available.

Message #55 received at 472073-done@bugs.debian.org (full text, mbox):

From: Jonathan Nieder <jrnieder@gmail.com>
To: "brian m. carlson" <sandals@crustytoothpaste.net>
Cc: 472073-done@bugs.debian.org, sergio <mailbox@sergio.spb.ru>, curl@packages.debian.org
Subject: Re: git-core: please support GSS-Negotiate authentication for http
Date: Tue, 10 Apr 2012 20:07:20 -0500
Version: 7.25.0-1
reassign 472073 libcurl3-gnutls 7.18.0-1
affects 472073 + git
quit

brian m. carlson wrote:

>   error: The requested URL returned error: 401 while accessing http://bmc@castro.crustytoothpaste.net/dump/css.git/info/refs
[...]
> Also, here's part of the log from the web server:
>
>   172.16.2.249 - - [28/May/2010:13:44:20 +0000] "GET /dump/css.git/info/refs?service=git-receive-pack HTTP/1.1" 401 720 "-" "git/1.7.1"
>   172.16.2.249 - - [28/May/2010:13:44:20 +0000] "GET /dump/css.git/info/refs HTTP/1.1" 401 720 "-" "git/1.7.1"
>   172.16.2.249 - - [28/May/2010:13:44:24 +0000] "GET /dump/css.git/info/refs?service=git-receive-pack HTTP/1.1" 401 720 "-" "git/1.7.1"
>   172.16.2.249 - bmc@CRUSTYTOOTHPASTE.NET [28/May/2010:13:44:24 +0000] "GET /dump/css.git/info/refs?service=git-receive-pack HTTP/1.1" 200 307 "-" "git/1.7.1"
>   172.16.2.249 - - [28/May/2010:13:44:24 +0000] "GET /dump/css.git/HEAD HTTP/1.1" 401 720 "-" "git/1.7.1"
>   172.16.2.249 - - [28/May/2010:13:44:25 +0000] "PROPFIND /dump/css.git/ HTTP/1.1" 401 720 "-" "git/1.7.1"
>   172.16.2.249 - bmc@CRUSTYTOOTHPASTE.NET [28/May/2010:13:44:25 +0000] "PROPFIND /dump/css.git/ HTTP/1.1" 207 767 "-" "git/1.7.1"
>   172.16.2.249 - - [28/May/2010:13:44:25 +0000] "HEAD /dump/css.git/info/refs HTTP/1.1" 401 205 "-" "git/1.7.1"
>   172.16.2.249 - - [28/May/2010:13:44:25 +0000] "HEAD /dump/css.git/objects/info/packs HTTP/1.1" 401 205 "-" "git/1.7.1"
>   172.16.2.249 - - [28/May/2010:13:44:25 +0000] "MKCOL /dump/css.git/info/ HTTP/1.1" 401 720 "-" "git/1.7.1"
>
> Notice that only for certain requests does git use authentication.  It
> needs to use authentication for every request, since access to /dump/ is
> only allowed to valid users using Kerberos (for all requests).
[...]
>> sergio wrote:

>>> It is curl bug and it's fixed in wheezy and sid. Please close it.
[...]
> Yes, pushing to an Apache DAV server with GSS-Negotiate does work.  git
> asks me for a password anyway, but that's another bug report.

Thanks for checking.  Reassigning to curl and closing with current
version.




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 05 Jun 2012 07:45:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 18:07:27 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.