On Mon, May 12, 2014 at 04:21:53PM -0400, Jeff King wrote: > On Sat, May 10, 2014 at 09:01:32PM +0000, brian m. carlson wrote: > > * Make git understand that it really needs to try again with different > > credentials in this case (how to do that is unknown). > > It should be pretty straightforward to loop again; http_request_reauth > just needs to turn into a for-loop on getting HTTP_REAUTH, rather than a > static two-tries (I even had a patch for this a while ago, but the > function has changed a bit in the interim). > > The tricky part is figuring out when to return HTTP_NOAUTH ("do not try > again, we failed") versus HTTP_REAUTH ("get credentials and try again") > in handle_curl_result. Right now the decision is based on "did we have a > username and password for this request?" I'm not clear on what extra > bits would be needed to decide to continue in the case you guys are > discussing.
I'm honestly not sure, either. That's why I said, "how to do that is unknown". However, if you base64-decode the two Negotiate replies in the successful attempt with WinHTTP and pass it through od -tc, you'll see that the second reply contains some form of user ID that the first one does not. The curl binary sends an identical reply for the first pass, but then gives up and does not try a second pass. I don't know if libcurl is able to provide the data required in the second pass. All of this is way outside my knowledge, since my Kerberos/GSSAPI Negotiate requests look very different than the NTLM ones. > > * Provide some way of forcing git to use a particular authentication > > protocol. > > Yeah, we just set CURLAUTH_ANY now, but it would be fairly trivial to > add "http.authtype" and "http.proxyauthtype" to map to CURLOPT_HTTPAUTH > and CURLOPT_PROXYAUTH. This might be the easiest option. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Description: Digital signature