cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: http_negotiate_sspi.c in CURL 7.21.7 doesn't allow to pass user/password

From: Michael-O <1983-01-06_at_gmx.net>
Date: Wed, 09 Jul 2014 20:14:30 +0200

Am 2014-07-09 17:21, schrieb Leonardo Rosati:
> In http_ntlm.c, line 713, user and password are taken from the proxy and
> used even if USE_WINDOWS_SSPI is defined. Code from line 748 to line 832
> used them and in particular AcquireCredentialsHandleA is invoked with a
> ntlm->identity struct filled with these user and password
>
> This is not done in http_negotiate_sspi.c. where AcquireCredentialsHandle
> is called passing NULL (from this, the fact that negotiate is done
> authenticating the machine, not the user passed in the curl parameters)

Again, nothing is passed and should not be. Everything is done
automatically by SSPI. Period. -u : is simply a bug in curl. No more, no
less.

> 2014-07-03 21:24 GMT+02:00 Michael-O <1983-01-06_at_gmx.net>:
>
>> Am 2014-07-03 17:47, schrieb Leonardo Rosati:
>>
>> Actually, http_ntlm.c, which uses SSPI, also uses passed username and
>>> password. So again my point is that these two SSPI based implementations
>>> are different. My opinion is that negotiate should pass user/password. in
>>> case I'm wrong then ntlm is wrong because accepts and passes
>>> user/passwords
>>>
>>
>> Again,
>>
>> curl on Windows does not accept any credentials. Default credentials are
>> obtained. The separate NTLM implementation in curl used on non-Windows
>> only. If you want AcquireCredHandle to use non-default creds, provide a
>> quality patch with fixes known bug #10 and implements your improvement.
>>
>> M
>>
>>
>> 2014-07-03 15:00 GMT+02:00 Michael-O <1983-01-06_at_gmx.net>:
>>>
>>> Refer to known bug #10: http://curl.haxx.se/docs/knownbugs.html
>>>>
>>>> If this is fixed, you need to do this only:
>>>> $ curl --(negotiate|ntlm) <url>
>>>>
>>>> on Windows, credentials are obtained by SSPI and SSPI only. No manual
>>>> passing. This is default on Windows with every implemenation on top of
>>>> SSPI.
>>>>
>>>> *Gesendet:* Donnerstag, 03. Juli 2014 um 13:46 Uhr
>>>>
>>>> *Von:* "Leonardo Rosati" <geppio1975_at_gmail.com>
>>>> *An:* "libcurl development" <curl-library_at_cool.haxx.se>
>>>> *Betreff:* Re: Re: http_negotiate_sspi.c in CURL 7.21.7 doesn't allow to
>>>>
>>>> pass user/password
>>>> What behavior is correct? the one in negotiate http_negotiate-sspi.c
>>>> which doesn't use the credentials? if so, why is it correct? and why it's
>>>> different from ntlm method?
>>>>
>>>> 2014-07-03 12:40 GMT+02:00 Michael-O <1983-01-06_at_gmx.net>:
>>>>
>>>>>
>>>>> That behavior is correct.
>>>>>
>>>>>
>>>>>
>>>>> Gesendet: Donnerstag, 03. Juli 2014 um 12:31 Uhr
>>>>> Von: "Leonardo Rosati" <geppio1975_at_gmail.com>
>>>>> An: "libcurl development" <curl-library_at_cool.haxx.se>
>>>>> Betreff: Re: http_negotiate_sspi.c in CURL 7.21.7 doesn't allow to pass
>>>>> user/password
>>>>>
>>>>> I've tried debugging with WireShark with a proxy with negotiation (ISA
>>>>> Server) and CURL does not pass user/password to the proxy even if
>>>>> specified. The machine is authenticated just in case it is part of the
>>>>> domain.
>>>>> Code in http_negotiate-sspi.c is different from the http_ntlm.c, which,
>>>>> correctly, passes username/password
>>>>> Anyone has verified negotiation passes credentials?
>>>>> leonardo
>>>>>
>>>>> 2014-06-27 22:27 GMT+02:00 Michael Osipov <1983-01-06_at_gmx.net>:Am
>>>>> 2014-06-27 11:11, schrieb Leonardo Rosati:
>>>>> hi,
>>>>>
>>>>> looking at the source code of http_negotiate-sspi.c the code doesn't use
>>>>> the user/password in case they are passed by the user, in practice
>>>>> assuming
>>>>> the proxy to authenticate the connection based on if the machine is in
>>>>> the
>>>>> domain or not.
>>>>> instead the code for ntlm is different: it passes user/password in case
>>>>> they are not empty and so user/password are used for authentication
>>>>> purposes.
>>>>>
>>>>> I think the correct behavior is the one for ntlm and therefore the
>>>>> negotiate method should be changed.I don't think so. The intention in
>>>>> both is to have credentials already present at/after login time. At
>>>>> least
>>>>> for NTLM on Windows and SPNEGO on all platforms.
>>>>>
>>>>> Michael
>>>>>
>>>>> -------------------------------------------------------------------
>>>>> List admin:
>>>>> http://cool.haxx.se/list/listinfo/curl-library[http://
>>>>> cool.haxx.se/list/listinfo/curl-library]
>>>>> Etiquette:
>>>>> http://curl.haxx.se/mail/etiquette.html[http://curl.
>>>>> haxx.se/mail/etiquette.html]--------------------------------
>>>>> -----------------------------------
>>>>> List admin:
>>>>> http://cool.haxx.se/list/listinfo/curl-library[http://
>>>>> cool.haxx.se/list/listinfo/curl-library]
>>>>> Etiquette:
>>>>> http://curl.haxx.se/mail/etiquette.html[http://curl.
>>>>> haxx.se/mail/etiquette.html]
>>>>>
>>>>> -------------------------------------------------------------------
>>>>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>>>>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>>>>
>>>>> -------------------------------------------------------------------
>>>> List
>>>> admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette:
>>>> http://curl.haxx.se/mail/etiquette.html
>>>>
>>>> -------------------------------------------------------------------
>>>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>>>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>>>
>>>>
>>>
>>>
>>> -------------------------------------------------------------------
>>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>>
>>>
>> -------------------------------------------------------------------
>> List admin: http://cool.haxx.se/list/listinfo/curl-library
>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>
>
>
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-07-09