On Thu, Feb 23, 2017 at 06:08:49PM +0100, Johannes Schindelin wrote: > > I suspect the patch above could probably be generalized as: > > > > /* cut out methods we know the server doesn't support */ > > http_auth_methods &= results.auth_avail; > > > > and let curl figure it out from there. > > Maybe this patch (or a variation thereof) would also be able to fix this > problem with the patch: > > https://github.com/git-for-windows/git/issues/1034 > > Short version: for certain servers (that do *not* advertise Negotiate), > setting emptyauth to true will result in a failed fetch, without letting > the user type in their credentials.
I suspect it isn't enough to help without 2/2. This will tell curl that the server does not do Negotiate, so it will skip the probe request. But Git will still feed curl the bogus empty credential. That's what 2/2 tries to fix: only kick in the emptyAuth hack when there is something besides Basic[1] to try. The way it is written adds an extra "auto" mode to emptyAuth, as I wanted to leave "emptyauth=true" as a workaround in case the "auto" behavior does not work. And then I turned on "auto" by default, since that was what the discussion was shooting for. But if we are worried about turning on emptyAuth everywhere, the auto behavior could be tied to emptyauth=true (and have something like "emptyauth=always" to _really_ force it). I don't have an opinion there. It sounds like emptyauth has been enabled by default on Windows for a while. It's not clear to me if that's a security problem or not. -Peff
