Re: Git + mod_auth_kerb
On Tue, Jul 22, 2014 at 10:00:22AM -0700, Junio C Hamano wrote: > "brian m. carlson" writes: > > > So git uses libcurl with CURLAUTH_ANY. In order for authentication to > > work with libcurl, you have to supply a username. If you specify it in > > the URL, the libcurl realizes that it can use Kerberos, and goes on its > > merry way. > > > > If you don't specify the username in the URL, git notices that > > authentication has failed, and asks the credential store for a username > > and password. git does not know that a password is not needed, so the > > credential subsystem prompts for one anyway. > > Hmmm, does this hint that we might want to be able to tell the > credential subsystem that it is sufficient to have name without > password, or allow the credential subsystem to say "I am giving you > sufficient information" when it returns only username without > password? I just did some testing here, and on my configuration (mod_auth_kerb without Basic authentication fallback), hitting enter at both the username and password prompts results in a successful connection with stock git. This makes sense, because with GSSAPI authentication, your ticket is tied to your username, so no explicit username is needed. If I turn on KrbMethodK5Passwd and try to push without credentials, I can confirm that git refuses, even if the correct password is set. It looks like libcurl really doesn't want to use Basic authentication if there's a "better" choice. Jean-Francois, do you have KrbMethodK5Passwd set to on (the default)? If so, you might try turning it off and forcing Kerberos authentication all the time. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Re: Git + mod_auth_kerb
On Tue, Jul 22, 2014 at 12:41:19PM -0400, Jean-Francois Bouchard wrote: > Thanks for this info. This make a lot of sense system wise. For a user > point of view, it is a nightmare. Also, this break a lot of tools that > are waiting username/password authentication via HTTPS. (I name > Eclipse). What you may want to do is have each user adjust their .gitconfig to do something like: [url "https://b...@git.crustytoothpaste.net/";] insteadOf = https://git.crustytoothpaste.net/ That way, everyone can continue to use the same URLs, but have git fix them up per-user. Hopefully I'll get some time this week to see if making HTTPS requests provide an empty username by default will work. > Also, I m not able to reproduce the kerberos login on Ubuntu 14.04. I > m asked to enter password even if a kerberos ticket is present and > this even when I've embedded the username in the URI. This sounds like an issue with Kerberos and curl on Ubuntu 14.04. I'm using Debian unstable (from which Ubuntu pulls changes), and at no point have I had this problem. Can you send us the output of the push with the environment GIT_CURL_VERBOSE set to 1 on a system where it works and one where it doesn't? > Is there a better way to integrate Kerberos via HTTPS for git ? I don't know of any better way. It does work for me, although I'm just one person. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Re: Git + mod_auth_kerb
On Tue, Jul 22, 2014 at 10:00:22AM -0700, Junio C Hamano wrote: > "brian m. carlson" writes: > > > So git uses libcurl with CURLAUTH_ANY. In order for authentication to > > work with libcurl, you have to supply a username. If you specify it in > > the URL, the libcurl realizes that it can use Kerberos, and goes on its > > merry way. > > > > If you don't specify the username in the URL, git notices that > > authentication has failed, and asks the credential store for a username > > and password. git does not know that a password is not needed, so the > > credential subsystem prompts for one anyway. > > Hmmm, does this hint that we might want to be able to tell the > credential subsystem that it is sufficient to have name without > password, or allow the credential subsystem to say "I am giving you > sufficient information" when it returns only username without > password? Possibly. In the --negotiate documentation of the curl man page, it says: When using this option, you must also provide a fake -u, --user option to activate the authentication code properly. Sending a '-u :' is enough as the user name and password from the -u option aren't actually used. That implies to me that setting an empty value for CURLOPT_USERNAME in git might be sufficient to solve the problem. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature
Re: Git + mod_auth_kerb
"brian m. carlson" writes: > So git uses libcurl with CURLAUTH_ANY. In order for authentication to > work with libcurl, you have to supply a username. If you specify it in > the URL, the libcurl realizes that it can use Kerberos, and goes on its > merry way. > > If you don't specify the username in the URL, git notices that > authentication has failed, and asks the credential store for a username > and password. git does not know that a password is not needed, so the > credential subsystem prompts for one anyway. Hmmm, does this hint that we might want to be able to tell the credential subsystem that it is sufficient to have name without password, or allow the credential subsystem to say "I am giving you sufficient information" when it returns only username without password? -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Git + mod_auth_kerb
Hello, Thanks for this info. This make a lot of sense system wise. For a user point of view, it is a nightmare. Also, this break a lot of tools that are waiting username/password authentication via HTTPS. (I name Eclipse). Also, I m not able to reproduce the kerberos login on Ubuntu 14.04. I m asked to enter password even if a kerberos ticket is present and this even when I've embedded the username in the URI. Is there a better way to integrate Kerberos via HTTPS for git ? Thanks, JF On Mon, Jul 21, 2014 at 7:17 PM, brian m. carlson wrote: > On Mon, Jul 21, 2014 at 05:06:50PM -0400, Jean-Francois Bouchard wrote: >> Hello, >> >> We are currently working on a single sign on setup for our git install. We >> are >> using git 2.0.2 (ubuntu) plus apache/2.2.22 mod_auth_kerb on the >> server side. Here some scenario we are trying to accomplish : >> >> -Without Kerberos ticket stored. >> Git ask for username/password. >> Result = Authentication failed >> >> -Kerberos ticket in store and BAD password : >> Git ask for username/password. >> Result = Authentication failed >> >> -Kerberos ticket in Store entering good password : >> Git ask for username/password. >> Result = Authentication failed on some host, other works >> >> -Kerberos ticket in Store and embedding the username in the URI (aka >> https://username@repo) >> Git don't ask for anything or ask for password >> Result = Works on some host, other request the password. (Will fail if >> the kerberos ticket not in store) > > So git uses libcurl with CURLAUTH_ANY. In order for authentication to > work with libcurl, you have to supply a username. If you specify it in > the URL, the libcurl realizes that it can use Kerberos, and goes on its > merry way. > > If you don't specify the username in the URL, git notices that > authentication has failed, and asks the credential store for a username > and password. git does not know that a password is not needed, so the > credential subsystem prompts for one anyway. > > I have mod_auth_kerb set up against Apache 2.4.9 at the moment, although > I've used 2.2 before. I always use a username in the URL, and if I get > prompted for the password, I just Ctrl-C out and run kinit before > pushing again. > > I don't have mod_auth_kerb set up to fall back to basic auth, but if you > do, using a username and password should work properly. You can use > set the environment variable GIT_CURL_VERBOSE to 1 to see more > information about what's actually going over the wire. > >> This is a very strange behaviour. It seems to be cause by the way >> libcurl and git interact and the way the authentication goes >> (Negociate first, then basic auth). I have tried to use the helper to >> store invalid authentication information. With not much success. > > libcurl will always prefer something (anything) over basic auth, since > basic auth is completely insecure unless you're using HTTPS. > > -- > brian m. carlson / brian with sandals: Houston, Texas, US > +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only > OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 -- Avis de confidentialité Les informations contenues dans le présent message et dans toute pièce qui lui est jointe sont confidentielles et peuvent être protégées par le secret professionnel. Ces informations sont à l’usage exclusif de son ou de ses destinataires. Si vous recevez ce message par erreur, veuillez s’il vous plait communiquer immédiatement avec l’expéditeur et en détruire tout exemplaire. De plus, il vous est strictement interdit de le divulguer, de le distribuer ou de le reproduire sans l’autorisation de l’expéditeur. Merci. Confidentiality notice This e-mail message and any attachment hereto contain confidential information which may be privileged and which is intended for the exclusive use of its addressee(s). If you receive this message in error, please inform sender immediately and destroy any copy thereof. Furthermore, any disclosure, distribution or copying of this message and/or any attachment hereto without the consent of the sender is strictly prohibited. Thank you. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Git + mod_auth_kerb
On Mon, Jul 21, 2014 at 05:06:50PM -0400, Jean-Francois Bouchard wrote: > Hello, > > We are currently working on a single sign on setup for our git install. We are > using git 2.0.2 (ubuntu) plus apache/2.2.22 mod_auth_kerb on the > server side. Here some scenario we are trying to accomplish : > > -Without Kerberos ticket stored. > Git ask for username/password. > Result = Authentication failed > > -Kerberos ticket in store and BAD password : > Git ask for username/password. > Result = Authentication failed > > -Kerberos ticket in Store entering good password : > Git ask for username/password. > Result = Authentication failed on some host, other works > > -Kerberos ticket in Store and embedding the username in the URI (aka > https://username@repo) > Git don't ask for anything or ask for password > Result = Works on some host, other request the password. (Will fail if > the kerberos ticket not in store) So git uses libcurl with CURLAUTH_ANY. In order for authentication to work with libcurl, you have to supply a username. If you specify it in the URL, the libcurl realizes that it can use Kerberos, and goes on its merry way. If you don't specify the username in the URL, git notices that authentication has failed, and asks the credential store for a username and password. git does not know that a password is not needed, so the credential subsystem prompts for one anyway. I have mod_auth_kerb set up against Apache 2.4.9 at the moment, although I've used 2.2 before. I always use a username in the URL, and if I get prompted for the password, I just Ctrl-C out and run kinit before pushing again. I don't have mod_auth_kerb set up to fall back to basic auth, but if you do, using a username and password should work properly. You can use set the environment variable GIT_CURL_VERBOSE to 1 to see more information about what's actually going over the wire. > This is a very strange behaviour. It seems to be cause by the way > libcurl and git interact and the way the authentication goes > (Negociate first, then basic auth). I have tried to use the helper to > store invalid authentication information. With not much success. libcurl will always prefer something (anything) over basic auth, since basic auth is completely insecure unless you're using HTTPS. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187 signature.asc Description: Digital signature