From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: David Turner <David.Turner@twosigma.com>
Cc: 'Junio C Hamano' <gitster@pobox.com>,
"git@vger.kernel.org" <git@vger.kernel.org>,
Johannes Schindelin <johannes.schindelin@gmx.de>,
Eric Sunshine <sunshine@sunshineco.com>,
Jeff King <peff@peff.net>
Subject: Re: [PATCH] http(s): automatically try NTLM authentication first
Date: Thu, 23 Feb 2017 04:19:19 +0000 [thread overview]
Message-ID: <20170223041919.xwdux5rxpojvms7k@genre.crustytoothpaste.net> (raw)
In-Reply-To: <b152fad7e79046c5aa6cac9e21066c1c@exmbdft7.ad.twosigma.com>
[-- Attachment #1: Type: text/plain, Size: 2193 bytes --]
On Thu, Feb 23, 2017 at 01:03:39AM +0000, David Turner wrote:
> So, I guess, this patch might be considered a security risk. But on the
> other hand, even *without* this patch, and without http.allowempty at
> all, I think a config which simply uses a https:// url without the magic :@
> would try SPNEGO. As I understand it, the http.allowempty config just
> makes the traditional :@ urls work.
No, it's a bit different. libcurl won't try to authenticate to a server
unless it has a username (and possibly password). With the curl command
line client, you use a dummy value or -u: to force it to do auth anyway
(because you want, say, GSSAPI). http.emptyAuth just sets that option
to “:” so libcurl will auth:
if (curl_empty_auth)
curl_easy_setopt(result, CURLOPT_USERPWD, ":");
I just use a dummy username for my URLs, but you can write :@ or any
other permutation to get it to work without emptyAuth. As a
consequence, you have to opt-in to that on a per-URL (or per-domain)
basis, which is a bit more secure.
> Actually, though, I am not sure this is as bad as it seems, because gssapi
> might protect us. When I locally tried a fake server, git (libcurl) refused to
> send my Kerberos credentials because "Server not found in Kerberos
> database". I don't have a machine set up with NTLM authentication
> (because, apparently, that would be insane), so I don't know how to
> confirm that gssapi would operate off of a whitelist for NTLM as well.
Yup. That's pretty much what I thought would happen, since the Kerberos
server has no HTTP/malicious.evil.tld@YOURREALM.TLD service ticket.
Again, I don't know how NTLM does things, or if it's wrapped in a
suitable ticket format somehow.
Last I base64-decoded an NTLM SPNEGO response, it did not contain the
OID required by GSSAPI as a prefix; it instead contained an “NTLMSSP”
header, which isn't a valid OID. I didn't delve much further, since I
was pretty sure I didn't want to know more.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 868 bytes --]
next prev parent reply other threads:[~2017-02-23 4:20 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-22 17:39 [PATCH] http(s): automatically try NTLM authentication first David Turner
2017-02-22 20:19 ` Junio C Hamano
2017-02-22 21:04 ` David Turner
2017-02-22 21:16 ` Junio C Hamano
2017-02-22 21:34 ` Jeff King
2017-02-23 17:08 ` Johannes Schindelin
2017-02-23 19:06 ` Junio C Hamano
2017-02-23 19:42 ` Jeff King
2017-02-23 20:37 ` Junio C Hamano
2017-02-23 20:48 ` Jeff King
2017-02-25 11:51 ` Johannes Schindelin
2017-02-22 23:34 ` brian m. carlson
2017-02-22 23:42 ` Jeff King
2017-02-23 2:15 ` Junio C Hamano
2017-02-23 19:11 ` Junio C Hamano
2017-02-23 19:35 ` Jeff King
2017-02-23 1:03 ` David Turner
2017-02-23 4:19 ` brian m. carlson [this message]
2017-02-23 9:13 ` Mantas Mikulėnas
2017-02-22 21:06 ` Jeff King
2017-02-22 21:25 ` Junio C Hamano
2017-02-22 21:35 ` Jeff King
2017-02-22 21:57 ` Junio C Hamano
2017-02-22 21:58 ` Jeff King
2017-02-22 22:35 ` Junio C Hamano
2017-02-22 23:33 ` Jeff King
2017-02-22 23:34 ` [PATCH 1/2] http: restrict auth methods to what the server advertises Jeff King
2017-02-22 23:40 ` [PATCH 2/2] http: add an "auto" mode for http.emptyauth Jeff King
2017-02-23 1:16 ` David Turner
2017-02-23 1:37 ` Jeff King
2017-02-23 16:31 ` David Turner
2017-02-23 19:44 ` Jeff King
2017-02-23 20:05 ` David Turner
2017-02-25 11:48 ` Johannes Schindelin
2017-02-25 19:15 ` Jeff King
2017-02-25 19:18 ` [PATCH] " Jeff King
2017-02-27 18:35 ` Junio C Hamano
2017-02-28 10:18 ` Johannes Schindelin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170223041919.xwdux5rxpojvms7k@genre.crustytoothpaste.net \
--to=sandals@crustytoothpaste.net \
--cc=David.Turner@twosigma.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=johannes.schindelin@gmx.de \
--cc=peff@peff.net \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.