Menu

#440 --negotiate does not work without username/password

closed-later
Daniel Stenberg
http (206)
6
2014-08-17
2004-08-06
Enrico Scholz
No

curl does not try required authentication steps when an username was
not given. But as '--negotiate' does not require an username, this
method does not work.

pickoneauth() in lib/http.c seems to be the responsible function for
determining the requested auth-method; it gets called only when s
user_passwd was set.

For example, the next invocation will return without trying to authenticate.

| $ curl -i --negotiate http://MY-HOST/admin/ -v
| * About to connect() to MY-HOST port 80
| * Connected to MY-HOST (10.1.4.1) port 80
| > GET /admin/ HTTP/1.1
| User-Agent: curl/7.12.0 (i686-redhat-linux-gnu) libcurl/7.12.0 OpenSSL/0.9.7a ipv6 zlib/1.2.1.1 GSS
| Host: MY-HOST
| Pragma: no-cache
| Accept: */*
|
| < HTTP/1.1 401 Authorization Required
| HTTP/1.1 401 Authorization Required
| < Date: Fri, 06 Aug 2004 19:26:34 GMT
| Date: Fri, 06 Aug 2004 19:26:34 GMT
| < Server: Apache/2.0.50 (Fedora)
| Server: Apache/2.0.50 (Fedora)
| < WWW-Authenticate: Negotiate
| WWW-Authenticate: Negotiate
| < WWW-Authenticate: Basic realm="XXX"
| WWW-Authenticate: Basic realm="XXX"
| < Content-Length: 504
| Content-Length: 504
| < Connection: close
| Connection: close
| < Content-Type: text/html; charset=iso-8859-1
| Content-Type: text/html; charset=iso-8859-1
|
| <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
| ...
| * Closing connection #0
| $

Now, when giving a bogus username, GSSAPI auth will be tried:

| $ curl -i --negotiate http://MY-HOST/admin/ -v -u XX
| Enter host password for user 'XX':
| * About to connect() to MY-HOST port 80
| * Connected to MY-HOST (10.1.4.1) port 80
| > GET /admin/ HTTP/1.1
| User-Agent: curl/7.12.0 (i686-redhat-linux-gnu) libcurl/7.12.0 OpenSSL/0.9.7a ipv6 zlib/1.2.1.1 GSS
| Host: MY-HOST
| Pragma: no-cache
| Accept: */*
|
| < HTTP/1.1 401 Authorization Required
| HTTP/1.1 401 Authorization Required
| < Date: Fri, 06 Aug 2004 19:30:11 GMT
| Date: Fri, 06 Aug 2004 19:30:11 GMT
| < Server: Apache/2.0.50 (Fedora)
| Server: Apache/2.0.50 (Fedora)
| < WWW-Authenticate: Negotiate
| WWW-Authenticate: Negotiate
| < WWW-Authenticate: Basic realm="XXX"
| WWW-Authenticate: Basic realm="XXX"
| < Content-Length: 504
| Content-Length: 504
| < Connection: close
| Connection: close
| < Content-Type: text/html; charset=iso-8859-1
| Content-Type: text/html; charset=iso-8859-1
|
| * Closing connection #0
| * Issue another request to this URL: 'http://MY-HOST/admin/'
| * About to connect() to MY-HOST port 80
| * Connected to MY-HOST (10.1.4.1) port 80
| * Server auth using GSS-Negotiate with user 'XX'
| > GET /admin/ HTTP/1.1
| Authorization: Negotiate YIICLQYJKoZIhvcSAQICAQB...
| User-Agent: curl/7.12.0 (i686-redhat-linux-gnu) libcurl/7.12.0 OpenSSL/0.9.7a ipv6 zlib/1.2.1.1 GSS

Discussion

  • Daniel Stenberg

    Daniel Stenberg - 2004-08-08

    Logged In: YES
    user_id=1110

    The code assumes that you have user+password for
    authentication.

    I'm not sure this will be fixed before the next release. I don't
    have any Negotiate access nor do I have any test cases for
    it.

     

  • Daniel Stenberg

    Daniel Stenberg - 2004-08-08
    • labels: --> http
    • priority: 5 --> 6
    • assigned_to: nobody --> bagder
     

  • Daniel Stenberg

    Daniel Stenberg - 2004-08-09

    Logged In: YES
    user_id=1110

    Added bug to the KNOWN_BUGS document, closing this issue here.

    There's no time frame for a fix, but hopefully we'll sort it
    out for 7.12.2.

     

  • Daniel Stenberg

    Daniel Stenberg - 2004-08-09
    • status: open --> closed-later