cURL / Mailing Lists / curl-library / Single Mail

curl-library

[ curl-Bugs-1004841 ] --negotiate does not work without username/password

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Fri, 06 Aug 2004 12:50:10 -0700

Bugs item #1004841, was opened at 2004-08-06 21:50
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1004841&group_id=976

Category: None
Group: wrong behaviour
Status: Open
Resolution: None
Priority: 5
Submitted By: Enrico Scholz (ensc)
Assigned to: Nobody/Anonymous (nobody)
Summary: --negotiate does not work without username/password

Initial Comment:
curl does not try required authentication steps when an username was
not given. But as '--negotiate' does not require an username, this
method does not work.

pickoneauth() in lib/http.c seems to be the responsible function for
determining the requested auth-method; it gets called only when s
user_passwd was set.

For example, the next invocation will return without trying to authenticate.

| $ curl -i --negotiate http://MY-HOST/admin/ -v
| * About to connect() to MY-HOST port 80
| * Connected to MY-HOST (10.1.4.1) port 80
| > GET /admin/ HTTP/1.1
| User-Agent: curl/7.12.0 (i686-redhat-linux-gnu) libcurl/7.12.0 OpenSSL/0.9.7a ipv6 zlib/1.2.1.1 GSS
| Host: MY-HOST
| Pragma: no-cache
| Accept: */*
|
| < HTTP/1.1 401 Authorization Required
| HTTP/1.1 401 Authorization Required
| < Date: Fri, 06 Aug 2004 19:26:34 GMT
| Date: Fri, 06 Aug 2004 19:26:34 GMT
| < Server: Apache/2.0.50 (Fedora)
| Server: Apache/2.0.50 (Fedora)
| < WWW-Authenticate: Negotiate
| WWW-Authenticate: Negotiate
| < WWW-Authenticate: Basic realm="XXX"
| WWW-Authenticate: Basic realm="XXX"
| < Content-Length: 504
| Content-Length: 504
| < Connection: close
| Connection: close
| < Content-Type: text/html; charset=iso-8859-1
| Content-Type: text/html; charset=iso-8859-1
|
| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
| ...
| * Closing connection #0
| $

Now, when giving a bogus username, GSSAPI auth will be tried:

| $ curl -i --negotiate http://MY-HOST/admin/ -v -u XX
| Enter host password for user 'XX':
| * About to connect() to MY-HOST port 80
| * Connected to MY-HOST (10.1.4.1) port 80
| > GET /admin/ HTTP/1.1
| User-Agent: curl/7.12.0 (i686-redhat-linux-gnu) libcurl/7.12.0 OpenSSL/0.9.7a ipv6 zlib/1.2.1.1 GSS
| Host: MY-HOST
| Pragma: no-cache
| Accept: */*
|
| < HTTP/1.1 401 Authorization Required
| HTTP/1.1 401 Authorization Required
| < Date: Fri, 06 Aug 2004 19:30:11 GMT
| Date: Fri, 06 Aug 2004 19:30:11 GMT
| < Server: Apache/2.0.50 (Fedora)
| Server: Apache/2.0.50 (Fedora)
| < WWW-Authenticate: Negotiate
| WWW-Authenticate: Negotiate
| < WWW-Authenticate: Basic realm="XXX"
| WWW-Authenticate: Basic realm="XXX"
| < Content-Length: 504
| Content-Length: 504
| < Connection: close
| Connection: close
| < Content-Type: text/html; charset=iso-8859-1
| Content-Type: text/html; charset=iso-8859-1
|
| * Closing connection #0
| * Issue another request to this URL: 'http://MY-HOST/admin/'
| * About to connect() to MY-HOST port 80
| * Connected to MY-HOST (10.1.4.1) port 80
| * Server auth using GSS-Negotiate with user 'XX'
| > GET /admin/ HTTP/1.1
| Authorization: Negotiate YIICLQYJKoZIhvcSAQICAQB...
| User-Agent: curl/7.12.0 (i686-redhat-linux-gnu) libcurl/7.12.0 OpenSSL/0.9.7a ipv6 zlib/1.2.1.1 GSS

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=1004841&group_id=976
Received on 2004-08-06