From: Jean-Francois Bouchard <jfbouchard@accedian.com>
To: Jean-Francois Bouchard <jfbouchard@accedian.com>,
git <git@vger.kernel.org>
Subject: Re: Git + mod_auth_kerb
Date: Tue, 22 Jul 2014 12:41:19 -0400 [thread overview]
Message-ID: <CAPYmS36r2fTeY4iB3k7VpgE7brAGxa+wt9HzfXtMStbMW4_Xvg@mail.gmail.com> (raw)
In-Reply-To: <20140721231721.GB5616@vauxhall.crustytoothpaste.net>
Hello,
Thanks for this info. This make a lot of sense system wise. For a user
point of view, it is a nightmare. Also, this break a lot of tools that
are waiting username/password authentication via HTTPS. (I name
Eclipse).
Also, I m not able to reproduce the kerberos login on Ubuntu 14.04. I
m asked to enter password even if a kerberos ticket is present and
this even when I've embedded the username in the URI.
Is there a better way to integrate Kerberos via HTTPS for git ?
Thanks,
JF
On Mon, Jul 21, 2014 at 7:17 PM, brian m. carlson
<sandals@crustytoothpaste.net> wrote:
> On Mon, Jul 21, 2014 at 05:06:50PM -0400, Jean-Francois Bouchard wrote:
>> Hello,
>>
>> We are currently working on a single sign on setup for our git install. We are
>> using git 2.0.2 (ubuntu) plus apache/2.2.22 mod_auth_kerb on the
>> server side. Here some scenario we are trying to accomplish :
>>
>> -Without Kerberos ticket stored.
>> Git ask for username/password.
>> Result = Authentication failed
>>
>> -Kerberos ticket in store and BAD password :
>> Git ask for username/password.
>> Result = Authentication failed
>>
>> -Kerberos ticket in Store entering good password :
>> Git ask for username/password.
>> Result = Authentication failed on some host, other works
>>
>> -Kerberos ticket in Store and embedding the username in the URI (aka
>> https://username@repo)
>> Git don't ask for anything or ask for password
>> Result = Works on some host, other request the password. (Will fail if
>> the kerberos ticket not in store)
>
> So git uses libcurl with CURLAUTH_ANY. In order for authentication to
> work with libcurl, you have to supply a username. If you specify it in
> the URL, the libcurl realizes that it can use Kerberos, and goes on its
> merry way.
>
> If you don't specify the username in the URL, git notices that
> authentication has failed, and asks the credential store for a username
> and password. git does not know that a password is not needed, so the
> credential subsystem prompts for one anyway.
>
> I have mod_auth_kerb set up against Apache 2.4.9 at the moment, although
> I've used 2.2 before. I always use a username in the URL, and if I get
> prompted for the password, I just Ctrl-C out and run kinit before
> pushing again.
>
> I don't have mod_auth_kerb set up to fall back to basic auth, but if you
> do, using a username and password should work properly. You can use
> set the environment variable GIT_CURL_VERBOSE to 1 to see more
> information about what's actually going over the wire.
>
>> This is a very strange behaviour. It seems to be cause by the way
>> libcurl and git interact and the way the authentication goes
>> (Negociate first, then basic auth). I have tried to use the helper to
>> store invalid authentication information. With not much success.
>
> libcurl will always prefer something (anything) over basic auth, since
> basic auth is completely insecure unless you're using HTTPS.
>
> --
> brian m. carlson / brian with sandals: Houston, Texas, US
> +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
> OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
--
Avis de confidentialité
Les informations contenues dans le présent message et dans toute pièce qui
lui est jointe sont confidentielles et peuvent être protégées par le secret
professionnel. Ces informations sont à l’usage exclusif de son ou de ses
destinataires. Si vous recevez ce message par erreur, veuillez s’il vous
plait communiquer immédiatement avec l’expéditeur et en détruire tout
exemplaire. De plus, il vous est strictement interdit de le divulguer, de
le distribuer ou de le reproduire sans l’autorisation de l’expéditeur.
Merci.
Confidentiality notice
This e-mail message and any attachment hereto contain confidential
information which may be privileged and which is intended for the exclusive
use of its addressee(s). If you receive this message in error, please
inform sender immediately and destroy any copy thereof. Furthermore, any
disclosure, distribution or copying of this message and/or any attachment
hereto without the consent of the sender is strictly prohibited. Thank you.
next prev parent reply other threads:[~2014-07-22 16:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-21 21:06 Git + mod_auth_kerb Jean-Francois Bouchard
2014-07-21 23:17 ` brian m. carlson
2014-07-22 16:41 ` Jean-Francois Bouchard [this message]
2014-07-23 1:59 ` brian m. carlson
2014-07-22 17:00 ` Junio C Hamano
2014-07-22 23:32 ` brian m. carlson
2014-07-26 20:57 ` brian m. carlson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPYmS36r2fTeY4iB3k7VpgE7brAGxa+wt9HzfXtMStbMW4_Xvg@mail.gmail.com \
--to=jfbouchard@accedian.com \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).