cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Negotiate broken even with "-u :"

From: David Cuthbert <dacut_at_kanga.org>
Date: Wed, 29 Jan 2014 01:28:19 -0800

On Jan 29, 2014, at 1:06 AM, Michael-O <1983-01-06_at_gmx.net> wrote:
> Are you really sure about that?. I use that option quite often and it does work with '-u :' here.

Fairly certain -- I was incredulous at first, too, until I compared 7.19.6 vs 7.31.0. I tested against 7.31.0 and 7.34.0 (built from source on RHEL5). Make sure you’re not injecting the username via another source (I see the URL and .netrc file as also toggling the relevant bits).

Specifically, I see it hit the site, get a 401, and then never attempt to retry with a Kerberos ticket (via SPNEGO). I did a fair bit of debugging to see what flags were being set.

This bit in http.c, Curl_http_auth_act(), is supposed to decide to retry with GSSAPI:
  if(conn->bits.user_passwd &&
     ((data->req.httpcode == 401) ||
      (conn->bits.authneg && data->req.httpcode < 300))) {
    pickhost = pickoneauth(&data->state.authhost);
    if(!pickhost)
      data->state.authproblem = TRUE;
  }

However, conn->bits.user_passwd is false if you give it an empty username; in url.c:
  conn->bits.user_passwd = (NULL != data->set.str[STRING_USERNAME])?TRUE:FALSE;

data->set.str[STRING_USERNAME] is null if the username is empty (ulen == 0) per this bit, also in url.c:
  if(userp && ulen) {
    ubuf = malloc(ulen + 1);
    if(!ubuf)
      result = CURLE_OUT_OF_MEMORY;
  }

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-01-29