Red Hat Bugzilla – Bug 835869
curl --proxy-anyauth selects kerberos auth if proxy claims to support it
Last modified: 2016-06-06 06:08:46 EDT
Description of problem:
A HTTP proxy supports Kerberos, NTLM and Basic authentication. Curl works with --proxy-basic or --proxy-ntlm options, but not with --proxy-any, since
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. curl --proxy=.. --proxy-user=.. --proxy-any http://...
Proxy replies with "407 Proxy Authentication Required". Curl retries the same request without using any of the supported authentication mechanisms.
Some auth header used in 2nd request (Basic or NTLM, if kerberos broken)
The following message appears in verbose logs:
* gss_init_sec_context() failed: : Credentials cache file '/tmp/krb5cc_1000' not found
Bug 769254 is the original Yum BZ with attached logs.
related upstream thread:
If Kerberos together with some other authentication method(s) are both enabled and available, curl decides to use Kerberos, which is the most preferred method, without checking that we have valid credentials first.
Later, when gss_init_sec_context() fails, it is already too late to change the authentication method because the data->state.authproxy.avail flags are already cleared.
After all, I do not think that curl should be trying NTLM if gss_init_sec_context() fails.
The documentation of --anyauth says "Tells curl to figure out authentication method by itself, and use the most secure one the remote site claims to support."
Implementing what you ask for would make curl less secure. It will be better to clarify the documentation of --proxy-anyauth in the same way as --anyauth.
Maybe I do not quite understand. But it seems to me an indication forced methods of authentication in the future will complicate the integration yum with proxy configuration in gnome. They having only proxy address and port.
(In reply to comment #4)
> They having only proxy address and port.
How can you set the username and passwd then?
Created attachment 595854 [details]
GNOME proxy settings
Programs such as Firefox, Chrome and Opera can request proxy password by yourself if it needed.
related upstream thread:
It possible to make curl to read the settings are seted through network proxy ?
I want to work such a construction out of the box:
$ sudo rpm --import http://yum.mariadb.org/RPM-GPG-KEY-MariaDB
curl: (7) couldn't connect to host
error: http://yum.mariadb.org/RPM-GPG-KEY-MariaDB: import read failed(2).
(In reply to comment #9)
> It possible to make curl to read the settings are seted through network
> proxy ?
Make sure the following environment variables are set properly:
Created attachment 601440 [details]
GNOME proxy settings (Method->Automatic)
I am sure when I use Method->Manual which displayed on screenshot  all environment variables are set properly in both case:
But in my case we have MS ISA proxy with NTLM auth :(
Curl must detect this and ask me for login and password.
Also I wonder how work Method-> Automatic ?
Because when I set Method-> Automatic all browsers continue work, but environment variables ALL_PROXY, FTP_PROXY, HTTPS_PROXY, HTTP_PROXY, NO_PROXY, all_proxy, ftp_proxy, http_proxy, https_proxy, no_proxy are not exists.
(In reply to comment #13)
> Also I wonder how work Method-> Automatic ?
Fixed upstream https://sourceforge.net/p/curl/bugs/1127/