Bug 835869 - curl --proxy-anyauth selects kerberos auth if proxy claims to support it
curl --proxy-anyauth selects kerberos auth if proxy claims to support it
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: curl (Show other bugs)
17
Unspecified Unspecified
unspecified Severity medium
: ---
: ---
Assigned To: Kamil Dudka
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 892070
  Show dependency treegraph
 
Reported: 2012-06-27 07:07 EDT by Zdeněk Pavlas
Modified: 2016-06-06 06:08 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-08 05:54:12 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
GNOME proxy settings (32.56 KB, image/png)
2012-07-02 21:41 EDT, Mikhail
no flags Details
GNOME proxy settings (Method->Automatic) (27.60 KB, image/png)
2012-07-31 03:02 EDT, Mikhail
no flags Details

  None (edit)
Description Zdeněk Pavlas 2012-06-27 07:07:25 EDT
Description of problem:

A HTTP proxy supports Kerberos, NTLM and Basic authentication.  Curl works with --proxy-basic or --proxy-ntlm options, but not with --proxy-any, since 

Version-Release number of selected component (if applicable):

How reproducible:

Always.

Steps to Reproduce:
1. curl --proxy=.. --proxy-user=.. --proxy-any http://...
2.
3.
  
Actual results:

Proxy replies with "407 Proxy Authentication Required". Curl retries the same request without using any of the supported authentication mechanisms.

Expected results:

Some auth header used in 2nd request (Basic or NTLM, if kerberos broken)

Additional info:

The following message appears in verbose logs:
* gss_init_sec_context() failed: : Credentials cache file '/tmp/krb5cc_1000' not found

Bug 769254 is the original Yum BZ with attached logs.
Comment 1 Kamil Dudka 2012-06-27 09:17:20 EDT
related upstream thread:

http://curl.haxx.se/mail/archive-2011-04/0021.html
Comment 2 Kamil Dudka 2012-06-29 08:19:27 EDT
If Kerberos together with some other authentication method(s) are both enabled and available, curl decides to use Kerberos, which is the most preferred method, without checking that we have valid credentials first.

Later, when gss_init_sec_context() fails, it is already too late to change the authentication method because the data->state.authproxy.avail flags are already cleared.
Comment 3 Kamil Dudka 2012-07-02 15:12:52 EDT
After all, I do not think that curl should be trying NTLM if gss_init_sec_context() fails.

The documentation of --anyauth says "Tells curl to figure out authentication method by itself, and use the most secure one the remote site claims to support."

Implementing what you ask for would make curl less secure.  It will be better to clarify the documentation of --proxy-anyauth in the same way as --anyauth.
Comment 4 Mikhail 2012-07-02 15:32:27 EDT
Maybe I do not quite understand. But it seems to me an indication forced methods of authentication in the future will complicate the integration yum with proxy configuration in gnome. They having only proxy address and port.
Comment 5 Kamil Dudka 2012-07-02 16:16:33 EDT
(In reply to comment #4)
> They having only proxy address and port.

How can you set the username and passwd then?
Comment 6 Mikhail 2012-07-02 21:41:19 EDT
Created attachment 595854 [details]
GNOME proxy settings
Comment 7 Mikhail 2012-07-02 21:47:44 EDT
Programs such as Firefox, Chrome and Opera can request proxy password by yourself if it needed.
Comment 8 Kamil Dudka 2012-07-17 16:16:35 EDT
related upstream thread:

http://thread.gmane.org/gmane.comp.web.curl.library/36363
Comment 9 Mikhail 2012-07-31 01:42:38 EDT
It possible to make curl to read the settings are seted through network proxy [1]?

[1] https://bugzilla.redhat.com/attachment.cgi?id=595854
Comment 10 Mikhail 2012-07-31 01:44:36 EDT
I want to work such a construction out of the box:

$ sudo rpm --import http://yum.mariadb.org/RPM-GPG-KEY-MariaDB
curl: (7) couldn't connect to host
error: http://yum.mariadb.org/RPM-GPG-KEY-MariaDB: import read failed(2).
Comment 11 Kamil Dudka 2012-07-31 02:47:54 EDT
(In reply to comment #9)
> It possible to make curl to read the settings are seted through network
> proxy [1]?

Make sure the following environment variables are set properly:

http://curl.haxx.se/docs/manpage.html#ENVIRONMENT
Comment 12 Mikhail 2012-07-31 03:02:41 EDT
Created attachment 601440 [details]
GNOME proxy settings (Method->Automatic)
Comment 13 Mikhail 2012-07-31 03:03:50 EDT
I am sure when I use Method->Manual which displayed on screenshot [1] all environment variables are set properly in both case:
ALL_PROXY=socks://10.10.9.62:8080/
FTP_PROXY=http://10.10.9.62:8080/
HTTPS_PROXY=http://10.10.9.62:8080/
HTTP_PROXY=http://10.10.9.62:8080/
NO_PROXY=localhost,127.0.0.0/8
all_proxy=socks://10.10.9.62:8080/
ftp_proxy=http://10.10.9.62:8080/
http_proxy=http://10.10.9.62:8080/
https_proxy=http://10.10.9.62:8080/
no_proxy=localhost,127.0.0.0/8

But in my case we have MS ISA proxy with NTLM auth :(
Curl must detect this and ask me for login and password.

Also I wonder how work Method-> Automatic [2]?
Because when I set  Method-> Automatic all browsers continue work, but environment variables ALL_PROXY, FTP_PROXY, HTTPS_PROXY, HTTP_PROXY, NO_PROXY, all_proxy, ftp_proxy, http_proxy, https_proxy, no_proxy are not exists.

[1] https://bugzilla.redhat.com/attachment.cgi?id=595854
[2] https://bugzilla.redhat.com/attachment.cgi?id=601440
Comment 14 Kamil Dudka 2012-07-31 03:15:24 EDT
(In reply to comment #13)
> Also I wonder how work Method-> Automatic [2]?

http://curl.haxx.se/docs/faq.html#Does_curl_support_Javascript_or
Comment 15 Zdeněk Pavlas 2013-01-08 05:54:12 EST
Fixed upstream https://sourceforge.net/p/curl/bugs/1127/

Note You need to log in before you can comment on or make changes to this bug.