Am 2014-07-11 12:44, schrieb David Woodhouse:
On Fri, 2014-05-30 at 01:13 -0700, [email protected] wrote:
curl_easy_setopt(curl_handle,CURL_PROXYAUTH,CURLAUTH_NTLM | CURLAUTH_NTLM_WB |
CURLAUTH_GSSNEGOTIATE);
curl_easy_setopt(curl_handle,CURL_PROXYUSERPWD,":");
curl_easy_perform(curl_handle) ;
...
Is there a known problem in curl for running this way in linux ?
[..]
However, there's a third problem — you need to drop CURLAUTH_NTLM from
your auth options. Otherwise it'll try 'native' NTLM using that empty
username and password (doh!) before trying the automatic NTLM
authentication via winbind.
Which is a bit stupid, admittedly, but I'm not quite sure what the best
fix is. Should we patch http.c to always try ntlm_wb *before* ntlm auth?
Or patch the native NTLM auth method to bail out if the username and
password are empty? Or both?
I my opinion, we can refer to the HTTP standard which mandates to use
strongest to weakest auth. So curl would actually need to priorize
authentication and try in that order:
Kerberos > Negotiate > Digest > NTLM_WB > NTLM > Basic.
KRB 5 comes before SPNEGO, bcause it can downgrade to NTLM which is less
secure. Digest comes before NTLM because, again, less secure and
proprietary.
Supposing that the server requests one of the schemes above.
Michael
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html