summary: using git windows 2.5.1 authenticate kerbesized git server. when using url in form https://el2-gitlab.sa.c/kkm/grammartools.git
, git not attempt negotiate authentication, , asks user name , password. workarouond force git use spnego provide empty username , password in url itself, in https://:@el2-gitlab.sa.c/kkm/grammartools.git
. in case, git happily authenticates existing kerberos ticket.
can configure git try spnego without tweaking remote url?
more details. spent quite time trying solve problem. first tried giving empty user name in .gitconfig, no avail:
[credential "https://el2-gitlab.sa.c"] username = ''
not once came across questions on reverse problem, when git refused revert basic after trying , failing negotiate, behavior confirmed have changed in 2.3.1.
responding prompts empty username , password not help, contrary suggestions find on (but may pre-date version 2.3.1).
finally, verbose libcurl output (abridged here) shows git indeed attempts basic authentication , forgoes negotiate altogether:
$ export git_curl_verbose=1 $ git clone https://el2-gitlab.sa.c/kkm/grammartools.git kerbtest cloning 'kerbtest'... * couldn't find host el2-gitlab.sa.c in _netrc file; using defaults * ssl connection using tlsv1.2 / ecdhe-rsa-aes256-gcm-sha384 > /kkm/grammartools.git/info/refs?service=git-upload-pack http/1.1 host: el2-gitlab.sa.c user-agent: git/2.5.1.windows.1 < http/1.1 401 unauthorized < status: 401 unauthorized < www-authenticate: basic realm="" < www-authenticate: negotiate < * connection #0 host el2-gitlab.sa.c left intact username 'https://el2-gitlab.sa.c':
also may of interest git client retries unauthenticated request on 401 second time before responding ticket:
$ git clone https://:@el2-gitlab.sa.c/kkm/grammartools.git kerbtest cloning 'kerbtest'... * couldn't find host el2-gitlab.sa.c in _netrc file; using defaults > /kkm/grammartools.git/info/refs?service=git-upload-pack http/1.1 host: el2-gitlab.sa.c user-agent: git/2.5.1.windows.1 < http/1.1 401 unauthorized < status: 401 unauthorized < www-authenticate: basic realm="" < www-authenticate: negotiate * connection #0 host el2-gitlab.sa.c left intact * issue request url: 'https://:@el2-gitlab.sa.c/kkm/grammartools.git/info/refs?service=git-upload-pack' * couldn't find host el2-gitlab.sa.c in _netrc file; using defaults > /kkm/grammartools.git/info/refs?service=git-upload-pack http/1.1 host: el2-gitlab.sa.c user-agent: git/2.5.1.windows.1 < http/1.1 401 unauthorized < status: 401 unauthorized < www-authenticate: basic realm="" < www-authenticate: negotiate < * issue request url: 'https://:@el2-gitlab.sa.c/kkm/grammartools.git/info/refs?service=git-upload-pack' * couldn't find host el2-gitlab.sa.c in _netrc file; using defaults > /kkm/grammartools.git/info/refs?service=git-upload-pack http/1.1 host: el2-gitlab.sa.c authorization: negotiate yiigtg[ .... trimmed ... ] user-agent: git/2.5.1.windows.1 < http/1.1 200 ok
this not git problem curl
one. suffering known bug #10. curl
's implementation far below 1 of libserf
which used in subversion.
regarding selection of auth: git requests any_auth
libcurl
and should select strongest available mechanism. if doesn't (with plain curl
), have found bug. please report curl
on github.
Comments
Post a Comment