cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: problem using NTLM authentication with default OS credentials

From: Michael Osipov <1983-01-06_at_gmx.net>
Date: Fri, 11 Jul 2014 15:50:04 +0200

Am 2014-07-11 12:44, schrieb David Woodhouse:
> On Fri, 2014-05-30 at 01:13 -0700, jasper_ro_at_yahoo.com wrote:
>> curl_easy_setopt(curl_handle,CURL_PROXYAUTH,CURLAUTH_NTLM | CURLAUTH_NTLM_WB | CURLAUTH_GSSNEGOTIATE);
>> curl_easy_setopt(curl_handle,CURL_PROXYUSERPWD,":");
>> curl_easy_perform(curl_handle) ;
> ...
>> Is there a known problem in curl for running this way in linux ?
>
> [..]
> However, there's a third problem — you need to drop CURLAUTH_NTLM from
> your auth options. Otherwise it'll try 'native' NTLM using that empty
> username and password (doh!) before trying the automatic NTLM
> authentication via winbind.
>
> Which is a bit stupid, admittedly, but I'm not quite sure what the best
> fix is. Should we patch http.c to always try ntlm_wb *before* ntlm auth?
> Or patch the native NTLM auth method to bail out if the username and
> password are empty? Or both?

I my opinion, we can refer to the HTTP standard which mandates to use
strongest to weakest auth. So curl would actually need to priorize
authentication and try in that order:

Kerberos > Negotiate > Digest > NTLM_WB > NTLM > Basic.

KRB 5 comes before SPNEGO, bcause it can downgrade to NTLM which is less
secure. Digest comes before NTLM because, again, less secure and
proprietary.

Supposing that the server requests one of the schemes above.

Michael

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-11