On Tue, Jul 22, 2014 at 10:00:22AM -0700, Junio C Hamano wrote:
> "brian m. carlson" <sand...@crustytoothpaste.net> writes:
> > So git uses libcurl with CURLAUTH_ANY.  In order for authentication to
> > work with libcurl, you have to supply a username.  If you specify it in
> > the URL, the libcurl realizes that it can use Kerberos, and goes on its
> > merry way.
> >
> > If you don't specify the username in the URL, git notices that
> > authentication has failed, and asks the credential store for a username
> > and password.  git does not know that a password is not needed, so the
> > credential subsystem prompts for one anyway.
> Hmmm, does this hint that we might want to be able to tell the
> credential subsystem that it is sufficient to have name without
> password, or allow the credential subsystem to say "I am giving you
> sufficient information" when it returns only username without
> password?

I just did some testing here, and on my configuration (mod_auth_kerb
without Basic authentication fallback), hitting enter at both the
username and password prompts results in a successful connection with
stock git.  This makes sense, because with GSSAPI authentication, your
ticket is tied to your username, so no explicit username is needed.

If I turn on KrbMethodK5Passwd and try to push without credentials, I
can confirm that git refuses, even if the correct password is set.  It
looks like libcurl really doesn't want to use Basic authentication if
there's a "better" choice.

Jean-Francois, do you have KrbMethodK5Passwd set to on (the default)?
If so, you might try turning it off and forcing Kerberos authentication
all the time.

brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

Reply via email to