From: M Hickford <mirth.hickford@gmail.com>
To: "brian m. carlson" <sandals@crustytoothpaste.net>
Cc: git@vger.kernel.org, Junio C Hamano <gitster@pobox.com>,
Matthew John Cheetham <mjcheetham@outlook.com>,
M Hickford <mirth.hickford@gmail.com>
Subject: Re: [PATCH 00/13] Support for arbitrary schemes in credentials
Date: Sat, 30 Mar 2024 08:16:54 +0000 [thread overview]
Message-ID: <CAGJzqsnyPhR2t7yuVXGQtCoeeUM+yxOR9hDm1y2Y6hcSK6QMFQ@mail.gmail.com> (raw)
In-Reply-To: <20240324011301.1553072-1-sandals@crustytoothpaste.net>
On Sun, 24 Mar 2024 at 01:13, brian m. carlson
<sandals@crustytoothpaste.net> wrote:
>
> Right now, HTTP authentication in Git is mostly limited to approaches
> that require a username and password or are Kerberos (GSSAPI). In
> addition, we effectively require that libcurl (or, for other software,
> such as Git LFS, using the credential helper, that HTTP library) knows
> how to implement the authentication scheme.
>
> However, this poses two sets of problems. First, some sites, such as
> Azure DevOps, want to use Bearer authentication, which we don't support.
> This is implemented using `http.extraHeader`, which is not a secure way
> to store credentials, since our credential helper protocol does not
> support this functionality.
>
> In addition, other tools using the credential helper protocol do not
> support the variety of authentication mechanisms that Git does.
> Specifically, making NTLM function in a useful way on Windows is
> nontrivial and requires extensive integration and testing with C code,
> and because of this difficulty and the fact that NTLM uses cryptography
> known to be insecure since 1995, there is often little interest in
> implementing this support outside of libcurl. However, it would be
> helpful if people who want to use it can still use it.
>
> This series introduces new functionality to the credential helper
> protocol that allows helpers to produce credentials for arbitrary HTTP
> authentication schemes using the `authtype` and `credential`[0] fields.
> This allows a suitable credential helper to send Bearer credentials or
> any other standard or custom authentication scheme. (It may be able to
> be extended to other functionality in the future, such as
> git-send-email, to implement custom SASL functionality, and due care has
> been taken to make the protocol adequately flexible for that purpose.)
>
> In addition, the protocol is also expanded to include per-helper state
> and multi-legged authentication (the former is effectively required for
> the latter). The per-helper state can be useful to help credential
> helpers identify where the credential is stored, or any other
> information necessary. Because NTLM and Negotiate (Kerberos/wrapped
> NTLM) require two rounds of authentication, the multi-legged
> authentication support along with per-helper state allows the helper to
> support these authentication methods without Git or other clients having
> to be aware of how they work. (This would also be useful for SASL, as
> mentioned above.)
>
> This series introduces a capability mechanism to announce this
> functionality, which allows a helper to provide a username and password
> on older versions of Git while supporting more advanced functionality on
> newer versions. (This is especially important on Azure DevOps, where
> NTLM uses a username and password but Basic or Bearer can use a personal
> access token.) It is also designed such that extremely simple
> credential helpers, such as the shell one-liner in the Git FAQ that
> reads from the environment, don't accidentally claim to support
> functionality they don't offer.
>
> In addition, there is documentation for the expanded protocol, although
> none of the built-in helpers have been updated (that will be a future
> series for those for which it's possible).
If you've time, I think it would be instructive to add (conditional)
tests to libcredential and support in at least one storage helper,
such as credential-cache.
This would clarify the behaviour in subtle cases involving expiry and
multiple helpers.
>
> My personal interest here is getting credentials out of config files
> with `http.extraHeader` (which a future series will produce a warning
> for) and also allowing Git LFS to support Digest and NTLM with a
> suitable credential helper. Git LFS used to support NTLM using custom
> code (because the Go standard library does not), but it was found to be
> broken in lots of ways on Windows, and nobody with a Windows system
> wanted to fix it or support it, so we removed it. However, there are
> still some people who do want to use it, so allowing them to use a
> custom credential helper they maintain themselves seems like the best
> way forward. Despite the advantages of this series for Azure DevOps, I
> have no personal or professional stake in their product; my only
> interest is the general one in whether their users can securely store
> credentials. I believe the changes here are of general advantage to the
> Git userbase in a variety of ways such that the goal of this series
> should be uncontroversial.
>
> Feedback on any portion of this series is of course welcome.
>
> [0] A name different from `password` was explicitly chosen to avoid
> confusion from less capable protocol helpers so that they don't
> accidentally send invalid data. This does have the downside that
> credential helpers must learn a new field to not log, but that should be
> generally easy to fix in most cases.
>
> brian m. carlson (13):
> credential: add an authtype field
> remote-curl: reset headers on new request
> http: use new headers for each object request
> credential: add a field for pre-encoded credentials
> credential: gate new fields on capability
> docs: indicate new credential protocol fields
> http: add support for authtype and credential
> credential: add an argument to keep state
> credential: enable state capability
> docs: set a limit on credential line length
> t5563: refactor for multi-stage authentication
> strvec: implement swapping two strvecs
> credential: add support for multistage credential rounds
>
> Documentation/git-credential.txt | 59 +++++-
> builtin/credential-cache--daemon.c | 2 +-
> builtin/credential-store.c | 2 +-
> builtin/credential.c | 7 +-
> credential.c | 114 ++++++++++-
> credential.h | 69 ++++++-
> http.c | 128 +++++++-----
> http.h | 5 +
> imap-send.c | 2 +-
> remote-curl.c | 14 +-
> strvec.c | 7 +
> strvec.h | 5 +
> t/lib-httpd/nph-custom-auth.sh | 17 +-
> t/t0300-credentials.sh | 136 ++++++++++++-
> t/t5563-simple-http-auth.sh | 308 +++++++++++++++++++++++++----
> 15 files changed, 760 insertions(+), 115 deletions(-)
>
next prev parent reply other threads:[~2024-03-30 8:17 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-24 1:12 [PATCH 00/13] Support for arbitrary schemes in credentials brian m. carlson
2024-03-24 1:12 ` [PATCH 01/13] credential: add an authtype field brian m. carlson
2024-03-24 1:12 ` [PATCH 02/13] remote-curl: reset headers on new request brian m. carlson
2024-03-24 1:12 ` [PATCH 03/13] http: use new headers for each object request brian m. carlson
2024-03-27 8:02 ` Patrick Steinhardt
2024-03-24 1:12 ` [PATCH 04/13] credential: add a field for pre-encoded credentials brian m. carlson
2024-03-24 1:12 ` [PATCH 05/13] credential: gate new fields on capability brian m. carlson
2024-03-27 8:02 ` Patrick Steinhardt
2024-03-27 21:33 ` brian m. carlson
2024-04-02 10:04 ` Patrick Steinhardt
2024-04-04 0:39 ` brian m. carlson
2024-04-04 4:07 ` Patrick Steinhardt
2024-03-28 10:20 ` Jeff King
2024-03-28 16:13 ` Junio C Hamano
2024-03-28 16:29 ` Jeff King
2024-03-28 17:25 ` Junio C Hamano
2024-03-28 21:18 ` brian m. carlson
2024-03-24 1:12 ` [PATCH 06/13] docs: indicate new credential protocol fields brian m. carlson
2024-03-25 23:16 ` M Hickford
2024-03-25 23:37 ` brian m. carlson
2024-03-30 13:00 ` M Hickford
2024-03-31 21:43 ` brian m. carlson
2024-03-24 1:12 ` [PATCH 07/13] http: add support for authtype and credential brian m. carlson
2024-03-24 1:12 ` [PATCH 08/13] credential: add an argument to keep state brian m. carlson
2024-04-01 21:05 ` mirth hickford
2024-04-01 22:14 ` brian m. carlson
2024-03-24 1:12 ` [PATCH 09/13] credential: enable state capability brian m. carlson
2024-03-24 1:12 ` [PATCH 10/13] docs: set a limit on credential line length brian m. carlson
2024-03-24 1:12 ` [PATCH 11/13] t5563: refactor for multi-stage authentication brian m. carlson
2024-03-24 1:13 ` [PATCH 12/13] strvec: implement swapping two strvecs brian m. carlson
2024-03-27 8:02 ` Patrick Steinhardt
2024-03-27 21:22 ` Junio C Hamano
2024-03-27 21:34 ` brian m. carlson
2024-03-24 1:13 ` [PATCH 13/13] credential: add support for multistage credential rounds brian m. carlson
2024-03-28 8:00 ` M Hickford
2024-03-28 21:53 ` brian m. carlson
2024-04-01 20:51 ` M Hickford
2024-03-24 2:24 ` [PATCH 00/13] Support for arbitrary schemes in credentials Junio C Hamano
2024-03-24 15:21 ` brian m. carlson
2024-03-24 16:13 ` Junio C Hamano
2024-03-30 8:00 ` M Hickford
2024-03-30 8:16 ` M Hickford [this message]
2024-04-02 22:26 ` Calvin Wan
2024-04-04 1:01 ` brian m. carlson
2024-04-08 18:42 ` Jackson Toeniskoetter
2024-04-11 7:00 ` M Hickford
2024-04-12 0:09 ` brian m. carlson
2024-04-11 7:00 ` M Hickford
2024-04-12 0:13 ` brian m. carlson
2024-04-17 0:02 ` [PATCH v2 00/16] " brian m. carlson
2024-04-17 0:02 ` [PATCH v2 01/16] credential: add an authtype field brian m. carlson
2024-04-17 0:02 ` [PATCH v2 02/16] remote-curl: reset headers on new request brian m. carlson
2024-04-17 0:02 ` [PATCH v2 03/16] http: use new headers for each object request brian m. carlson
2024-04-17 0:02 ` [PATCH v2 04/16] credential: add a field for pre-encoded credentials brian m. carlson
2024-04-17 0:02 ` [PATCH v2 05/16] credential: gate new fields on capability brian m. carlson
2024-04-17 0:02 ` [PATCH v2 06/16] credential: add a field called "ephemeral" brian m. carlson
2024-04-17 0:02 ` [PATCH v2 07/16] docs: indicate new credential protocol fields brian m. carlson
2024-04-17 0:02 ` [PATCH v2 08/16] http: add support for authtype and credential brian m. carlson
2024-04-17 0:02 ` [PATCH v2 09/16] credential: add an argument to keep state brian m. carlson
2024-04-17 0:02 ` [PATCH v2 10/16] credential: enable state capability brian m. carlson
2024-04-17 0:02 ` [PATCH v2 11/16] docs: set a limit on credential line length brian m. carlson
2024-04-17 0:02 ` [PATCH v2 12/16] t5563: refactor for multi-stage authentication brian m. carlson
2024-04-17 0:02 ` [PATCH v2 13/16] credential: add support for multistage credential rounds brian m. carlson
2024-04-17 0:02 ` [PATCH v2 14/16] t: add credential tests for authtype brian m. carlson
2024-04-17 0:02 ` [PATCH v2 15/16] credential-cache: implement authtype capability brian m. carlson
2024-04-17 0:02 ` [PATCH v2 16/16] credential: add method for querying capabilities brian m. carlson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGJzqsnyPhR2t7yuVXGQtCoeeUM+yxOR9hDm1y2Y6hcSK6QMFQ@mail.gmail.com \
--to=mirth.hickford@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=mjcheetham@outlook.com \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).