cURL / Mailing Lists / curl-users / Single Mail

curl-users

Authentication fallback to Basic from Negotiate

From: John Hodrien <J.H.Hodrien_at_leeds.ac.uk>
Date: Wed, 17 Apr 2013 10:08:45 +0100 (BST)

If a web server presents Negotiate and Basic auth, but the client's not in a
position to do Negotiate (no ticket, or perhaps just no local kerberos
configuration) even though curl is compiled with gssapi support, should it fall
back to using basic or not?

If I do provide it with a kerberos credential, it works fine, and if I disable
kerberos on the server and just have basic it works.

My specific problem was with git, but given the curl command-line tool is
giving me a matching result, I figure understanding the issue from curl's side
would be a good starting point.

Thanks,

$ curl -vvvvv -u user --anyauth https://www.example.com/
Enter host password for user 'user':
* About to connect() to www.example.com port 443 (#0)
* Trying 192.0.43.10... connected
* Connected to www.example.com (192.0.43.10) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* subject: CN=www.example.com
* start date: Jul 16 00:00:00 2010 GMT
* expire date: Jul 15 23:59:59 2013 GMT
* common name: www.example.com
* issuer: CN=BLAH
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: www.example.com
> Accept: */*
>
< HTTP/1.1 401 Authorization Required
< Date: Wed, 17 Apr 2013 08:56:21 GMT
< Server: Apache/2.2.3 (CentOS)
* gss_init_sec_context() failed: : Credentials cache file '/tmp/krb5cc_23483_dYEQks' not foundWWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="GIT"
< Content-Length: 495
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at www.example.com Port 443</address>
</body></html>
* Closing connection #0

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-04-17

This message: [ Message body ]
Next message: Lars Lars: "Curl delayed communication"
Previous message: Daniel Stenberg: "Re: cURL hangs when downloading a CSV file from behind a proxy"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]