From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: David Turner <David.Turner@twosigma.com>
Cc: 'Junio C Hamano' <gitster@pobox.com>,
"git@vger.kernel.org" <git@vger.kernel.org>,
Johannes Schindelin <johannes.schindelin@gmx.de>,
Eric Sunshine <sunshine@sunshineco.com>,
Jeff King <peff@peff.net>
Subject: Re: [PATCH] http(s): automatically try NTLM authentication first
Date: Thu, 23 Feb 2017 04:19:19 +0000 [thread overview]
Message-ID: <20170223041919.xwdux5rxpojvms7k@genre.crustytoothpaste.net> (raw)
In-Reply-To: <b152fad7e79046c5aa6cac9e21066c1c@exmbdft7.ad.twosigma.com>
[-- Attachment #1: Type: text/plain, Size: 2193 bytes --]
On Thu, Feb 23, 2017 at 01:03:39AM +0000, David Turner wrote:
> So, I guess, this patch might be considered a security risk. But on the
> other hand, even *without* this patch, and without http.allowempty at
> all, I think a config which simply uses a https:// url without the magic :@
> would try SPNEGO. As I understand it, the http.allowempty config just
> makes the traditional :@ urls work.
No, it's a bit different. libcurl won't try to authenticate to a server
unless it has a username (and possibly password). With the curl command
line client, you use a dummy value or -u: to force it to do auth anyway
(because you want, say, GSSAPI). http.emptyAuth just sets that option
to “:” so libcurl will auth:
if (curl_empty_auth)
curl_easy_setopt(result, CURLOPT_USERPWD, ":");
I just use a dummy username for my URLs, but you can write :@ or any
other permutation to get it to work without emptyAuth. As a
consequence, you have to opt-in to that on a per-URL (or per-domain)
basis, which is a bit more secure.
> Actually, though, I am not sure this is as bad as it seems, because gssapi
> might protect us. When I locally tried a fake server, git (libcurl) refused to
> send my Kerberos credentials because "Server not found in Kerberos
> database". I don't have a machine set up with NTLM authentication
> (because, apparently, that would be insane), so I don't know how to
> confirm that gssapi would operate off of a whitelist for NTLM as well.
Yup. That's pretty much what I thought would happen, since the Kerberos
server has no HTTP/malicious.evil.tld@YOURREALM.TLD service ticket.
Again, I don't know how NTLM does things, or if it's wrapped in a
suitable ticket format somehow.
Last I base64-decoded an NTLM SPNEGO response, it did not contain the
OID required by GSSAPI as a prefix; it instead contained an “NTLMSSP”
header, which isn't a valid OID. I didn't delve much further, since I
was pretty sure I didn't want to know more.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 868 bytes --]
next prev parent reply other threads:[~2017-02-23 4:20 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-22 17:39 [PATCH] http(s): automatically try NTLM authentication first David Turner
2017-02-22 20:19 ` Junio C Hamano
2017-02-22 21:04 ` David Turner
2017-02-22 21:16 ` Junio C Hamano
2017-02-22 21:34 ` Jeff King
2017-02-23 17:08 ` Johannes Schindelin
2017-02-23 19:06 ` Junio C Hamano
2017-02-23 19:42 ` Jeff King
2017-02-23 20:37 ` Junio C Hamano
2017-02-23 20:48 ` Jeff King
2017-02-25 11:51 ` Johannes Schindelin
2017-02-22 23:34 ` brian m. carlson
2017-02-22 23:42 ` Jeff King
2017-02-23 2:15 ` Junio C Hamano
2017-02-23 19:11 ` Junio C Hamano
2017-02-23 19:35 ` Jeff King
2017-02-23 1:03 ` David Turner
2017-02-23 4:19 ` brian m. carlson [this message]
2017-02-23 9:13 ` Mantas Mikulėnas
2017-02-22 21:06 ` Jeff King
2017-02-22 21:25 ` Junio C Hamano
2017-02-22 21:35 ` Jeff King
2017-02-22 21:57 ` Junio C Hamano
2017-02-22 21:58 ` Jeff King
2017-02-22 22:35 ` Junio C Hamano
2017-02-22 23:33 ` Jeff King
2017-02-22 23:34 ` [PATCH 1/2] http: restrict auth methods to what the server advertises Jeff King
2017-02-22 23:40 ` [PATCH 2/2] http: add an "auto" mode for http.emptyauth Jeff King
2017-02-23 1:16 ` David Turner
2017-02-23 1:37 ` Jeff King
2017-02-23 16:31 ` David Turner
2017-02-23 19:44 ` Jeff King
2017-02-23 20:05 ` David Turner
2017-02-25 11:48 ` Johannes Schindelin
2017-02-25 19:15 ` Jeff King
2017-02-25 19:18 ` [PATCH] " Jeff King
2017-02-27 18:35 ` Junio C Hamano
2017-02-28 10:18 ` Johannes Schindelin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170223041919.xwdux5rxpojvms7k@genre.crustytoothpaste.net \
--to=sandals@crustytoothpaste.net \
--cc=David.Turner@twosigma.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=johannes.schindelin@gmx.de \
--cc=peff@peff.net \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).