cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Re: Re: http_negotiate_sspi.c in CURL 7.21.7 doesn't allow to pass user/password

From: Leonardo Rosati <geppio1975_at_gmail.com>
Date: Thu, 3 Jul 2014 17:47:34 +0200

Actually, http_ntlm.c, which uses SSPI, also uses passed username and
password. So again my point is that these two SSPI based implementations
are different. My opinion is that negotiate should pass user/password. in
case I'm wrong then ntlm is wrong because accepts and passes user/passwords

2014-07-03 15:00 GMT+02:00 Michael-O <1983-01-06_at_gmx.net>:

> Refer to known bug #10: http://curl.haxx.se/docs/knownbugs.html
>
> If this is fixed, you need to do this only:
> $ curl --(negotiate|ntlm) <url>
>
> on Windows, credentials are obtained by SSPI and SSPI only. No manual
> passing. This is default on Windows with every implemenation on top of SSPI.
>
> *Gesendet:* Donnerstag, 03. Juli 2014 um 13:46 Uhr
>
> *Von:* "Leonardo Rosati" <geppio1975_at_gmail.com>
> *An:* "libcurl development" <curl-library_at_cool.haxx.se>
> *Betreff:* Re: Re: http_negotiate_sspi.c in CURL 7.21.7 doesn't allow to
> pass user/password
> What behavior is correct? the one in negotiate http_negotiate-sspi.c
> which doesn't use the credentials? if so, why is it correct? and why it's
> different from ntlm method?
>
> 2014-07-03 12:40 GMT+02:00 Michael-O <1983-01-06_at_gmx.net>:
>>
>> That behavior is correct.
>>
>>
>>
>> Gesendet: Donnerstag, 03. Juli 2014 um 12:31 Uhr
>> Von: "Leonardo Rosati" <geppio1975_at_gmail.com>
>> An: "libcurl development" <curl-library_at_cool.haxx.se>
>> Betreff: Re: http_negotiate_sspi.c in CURL 7.21.7 doesn't allow to pass
>> user/password
>>
>> I've tried debugging with WireShark with a proxy with negotiation (ISA
>> Server) and CURL does not pass user/password to the proxy even if
>> specified. The machine is authenticated just in case it is part of the
>> domain.
>> Code in http_negotiate-sspi.c is different from the http_ntlm.c, which,
>> correctly, passes username/password
>> Anyone has verified negotiation passes credentials?
>> leonardo
>>
>> 2014-06-27 22:27 GMT+02:00 Michael Osipov <1983-01-06_at_gmx.net>:Am
>> 2014-06-27 11:11, schrieb Leonardo Rosati:
>> hi,
>>
>> looking at the source code of http_negotiate-sspi.c the code doesn't use
>> the user/password in case they are passed by the user, in practice
>> assuming
>> the proxy to authenticate the connection based on if the machine is in the
>> domain or not.
>> instead the code for ntlm is different: it passes user/password in case
>> they are not empty and so user/password are used for authentication
>> purposes.
>>
>> I think the correct behavior is the one for ntlm and therefore the
>> negotiate method should be changed.I don't think so. The intention in
>> both is to have credentials already present at/after login time. At least
>> for NTLM on Windows and SPNEGO on all platforms.
>>
>> Michael
>>
>> -------------------------------------------------------------------
>> List admin:
>> http://cool.haxx.se/list/listinfo/curl-library[http://cool.haxx.se/list/listinfo/curl-library]
>> Etiquette:
>> http://curl.haxx.se/mail/etiquette.html[http://curl.haxx.se/mail/etiquette.html]-------------------------------------------------------------------
>> List admin:
>> http://cool.haxx.se/list/listinfo/curl-library[http://cool.haxx.se/list/listinfo/curl-library]
>> Etiquette:
>> http://curl.haxx.se/mail/etiquette.html[http://curl.haxx.se/mail/etiquette.html]
>>
>> -------------------------------------------------------------------
>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>
> ------------------------------------------------------------------- List
> admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette:
> http://curl.haxx.se/mail/etiquette.html
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-03