Description of problem: Git in combination of HTTP(s) and SSO using kerberos no longer works when using libcurl > 7.19.7-27. As libcurl > 7.19.7-27 got a fix to no longer unconditional delegate kerberos tickets to services and Git does not set the required options for libcurl to do so, Git is no longer able to do SSO with HTTP(s) connections. Version-Release number of selected component (if applicable): Git: any libcurl > 7.19.7-27 How reproducible: Try to checkout a repository using kerberos SSO from a http(s) server. Steps to Reproduce: 1. Have a HTTP(s) configured and kerberos enabled git-repository 2. get kerberos granting ticket (kinit) 3. try to checkout repository (git clone https://git.example.com/my-repo.git) Actual results: Git prompts for a username/password combination Expected results: Git does not prompt for username/password and checks out the repository Additional info:
As curl got an additional option "--delegate" which can be set to "none, policy or always", git also should have such options in the configuration file. That way we do not introduce another security-flaw which was initially fixed with RHBA-2013-0393.
git19 will be soon on EOL and next git resolves this bug. However, customer will need modify settings because of upstream solution. More precisely, one possible solution which works since git v 2.8.0: $ export GIT_HTTP_PROXY_AUTHMETHOD="negotiate" $ git config --global http.emptyAuth true ... $ git clone ..... Note that this solution will work probably only for git29. Native git* packages in RHEL-6 and RHEL-7 will probably works as before after fix.
Reopen bug again. Previously I tried that reproduce according to information in reproducer. However - reproducer is in this case useless and I don't have any info how can I try exactly reproduce using of delegate. My solution works becuase I configure git (and git server) to use kerberos authentication and this don't use/need --delegation parameter in any way.
Just append info that comment #7 is deprecated in that case.
Patch is already in upstream for testing. I will backport it when it will be approved.
Please reference the upstream commit or submission if publicly available.
My mistake: I get response that patch will be added to testing branch in upstream. But it is not merged yet. Final patch which should be added in upstream for testing is here: http://www.spinics.net/lists/git/msg287130.html
git19 will be soon EOL. But this bug could be fixed in rh-git29. My patch is finally part of upstream, so I am going to prepare patch.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2728.html
Note that a workaround that works fine at least with git-1.7.1-4.el6_7.1.x86_64 and git-1.8.3.1-6.el7_2.1.x86_64 is to replace: git clone https://git.example.com/my-repo.git with: git clone https://:@git.example.com/my-repo.git May be useful for people finding this bug until RHEL 7.4 is released.