Bug 835869

Summary:

curl --proxy-anyauth selects kerberos auth if proxy claims to support it

Product:

[Fedora] Fedora

Reporter:

Zdeněk Pavlas <zpavlas>

Component:

curl

Assignee:

Kamil Dudka <kdudka>

Status:

CLOSED UPSTREAM

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

medium

Docs Contact:

Priority:

unspecified

Version:

CC:

jzeleny, kdudka, mikhail.v.gavrilov, paul

Target Milestone:

---

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2013-01-08 10:54:12 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

892070

Attachments:

Description	Flags
GNOME proxy settings	none
GNOME proxy settings (Method->Automatic)	none

Description Zdeněk Pavlas 2012-06-27 11:07:25 UTC

Description of problem:

A HTTP proxy supports Kerberos, NTLM and Basic authentication.  Curl works with --proxy-basic or --proxy-ntlm options, but not with --proxy-any, since 

Version-Release number of selected component (if applicable):

How reproducible:

Always.

Steps to Reproduce:
1. curl --proxy=.. --proxy-user=.. --proxy-any http://...
2.
3.
  
Actual results:

Proxy replies with "407 Proxy Authentication Required". Curl retries the same request without using any of the supported authentication mechanisms.

Expected results:

Some auth header used in 2nd request (Basic or NTLM, if kerberos broken)

Additional info:

The following message appears in verbose logs:
* gss_init_sec_context() failed: : Credentials cache file '/tmp/krb5cc_1000' not found

Bug 769254 is the original Yum BZ with attached logs.

Comment 1 Kamil Dudka 2012-06-27 13:17:20 UTC

related upstream thread:

http://curl.haxx.se/mail/archive-2011-04/0021.html

Comment 2 Kamil Dudka 2012-06-29 12:19:27 UTC

If Kerberos together with some other authentication method(s) are both enabled and available, curl decides to use Kerberos, which is the most preferred method, without checking that we have valid credentials first.

Later, when gss_init_sec_context() fails, it is already too late to change the authentication method because the data->state.authproxy.avail flags are already cleared.

Comment 3 Kamil Dudka 2012-07-02 19:12:52 UTC

After all, I do not think that curl should be trying NTLM if gss_init_sec_context() fails.

The documentation of --anyauth says "Tells curl to figure out authentication method by itself, and use the most secure one the remote site claims to support."

Implementing what you ask for would make curl less secure.  It will be better to clarify the documentation of --proxy-anyauth in the same way as --anyauth.

Comment 4 Mikhail 2012-07-02 19:32:27 UTC

Maybe I do not quite understand. But it seems to me an indication forced methods of authentication in the future will complicate the integration yum with proxy configuration in gnome. They having only proxy address and port.

Comment 5 Kamil Dudka 2012-07-02 20:16:33 UTC

(In reply to comment #4)
> They having only proxy address and port.

How can you set the username and passwd then?

Comment 6 Mikhail 2012-07-03 01:41:19 UTC

Created attachment 595854 [details]
GNOME proxy settings

Comment 7 Mikhail 2012-07-03 01:47:44 UTC

Programs such as Firefox, Chrome and Opera can request proxy password by yourself if it needed.

Comment 8 Kamil Dudka 2012-07-17 20:16:35 UTC

related upstream thread:

http://thread.gmane.org/gmane.comp.web.curl.library/36363

Comment 9 Mikhail 2012-07-31 05:42:38 UTC

It possible to make curl to read the settings are seted through network proxy [1]?

[1] https://bugzilla.redhat.com/attachment.cgi?id=595854

Comment 10 Mikhail 2012-07-31 05:44:36 UTC

I want to work such a construction out of the box:

$ sudo rpm --import http://yum.mariadb.org/RPM-GPG-KEY-MariaDB
curl: (7) couldn't connect to host
error: http://yum.mariadb.org/RPM-GPG-KEY-MariaDB: import read failed(2).

Comment 11 Kamil Dudka 2012-07-31 06:47:54 UTC

(In reply to comment #9)
> It possible to make curl to read the settings are seted through network
> proxy [1]?

Make sure the following environment variables are set properly:

http://curl.haxx.se/docs/manpage.html#ENVIRONMENT

Comment 12 Mikhail 2012-07-31 07:02:41 UTC

Created attachment 601440 [details]
GNOME proxy settings (Method->Automatic)

Comment 13 Mikhail 2012-07-31 07:03:50 UTC

I am sure when I use Method->Manual which displayed on screenshot [1] all environment variables are set properly in both case:
ALL_PROXY=socks://10.10.9.62:8080/
FTP_PROXY=http://10.10.9.62:8080/
HTTPS_PROXY=http://10.10.9.62:8080/
HTTP_PROXY=http://10.10.9.62:8080/
NO_PROXY=localhost,127.0.0.0/8
all_proxy=socks://10.10.9.62:8080/
ftp_proxy=http://10.10.9.62:8080/
http_proxy=http://10.10.9.62:8080/
https_proxy=http://10.10.9.62:8080/
no_proxy=localhost,127.0.0.0/8

But in my case we have MS ISA proxy with NTLM auth :(
Curl must detect this and ask me for login and password.

Also I wonder how work Method-> Automatic [2]?
Because when I set  Method-> Automatic all browsers continue work, but environment variables ALL_PROXY, FTP_PROXY, HTTPS_PROXY, HTTP_PROXY, NO_PROXY, all_proxy, ftp_proxy, http_proxy, https_proxy, no_proxy are not exists.

[1] https://bugzilla.redhat.com/attachment.cgi?id=595854
[2] https://bugzilla.redhat.com/attachment.cgi?id=601440

Comment 14 Kamil Dudka 2012-07-31 07:15:24 UTC

(In reply to comment #13)
> Also I wonder how work Method-> Automatic [2]?

http://curl.haxx.se/docs/faq.html#Does_curl_support_Javascript_or

Comment 15 Zdeněk Pavlas 2013-01-08 10:54:12 UTC

Fixed upstream https://sourceforge.net/p/curl/bugs/1127/