如何强制Git(2.5+)HTTP传输比基本身份验证更喜欢SPNEGO? [英] How to force Git (2.5+) HTTP transport prefer SPNEGO over Basic authentication?
问题描述
https://el2-gitlab.sa.c/kkm/GrammarTools.git 的形式使用URL时,Git甚至不会尝试协商身份验证,要求输入用户名和密码。强制Git使用SPNEGO的工作流程是在URL本身提供空的用户名和密码,如 https: //:@ EL2-gitlab.sa.c / KKM / GrammarTools.git 。在这种情况下,Git很高兴地使用现有的Kerberos票证进行身份验证。 我可以配置Git来尝试SPNEGO而无需调整远程URL吗?
更多详细信息。我花了很长时间试图解决问题。首先,我尝试在.gitconfig中提供一个空的用户名,但无济于事:
[凭证https://el2-gitlab.sa.c]
用户名=''
当我遇到 reverse 问题时,Git拒绝恢复为基本后尝试和失败协商,但行为是确认已在2.3.1中更改。
回应使用空的用户名和密码的提示并没有帮助,这与我可以在SO上找到的一些建议相反(但它们可能会在2.3.1之前版本)。
最后,详细的libcurl输出(此处摘录)显示Git的确尝试基本身份验证并放弃协商:
$ export GIT_CURL_VERBOSE = 1
$ git clone https://el2-gitlab.sa.c/kkm/GrammarTools.git kerbtest
Clonin g到'kerbtest'...
*在_netrc文件中找不到主机el2-gitlab.sa.c;使用默认值
*使用TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> GET /kkm/GrammarTools.git/info/refs?service=git-upload-pack HTTP / 1.1
Host:el2-gitlab.sa.c
User-Agent:git / 2.5.1.windows .1
< HTTP / 1.1 401未授权
<状态:401未授权
< Www-Authenticate:Basic realm =
< Www-Authenticate:协商
<
*连接#0到主机el2-gitlab.sa.c保留原样
'https://el2-gitlab.sa.c'的用户名:
另外值得关注的是,Git客户端在响应票证之前第二次在401上重试未经身份验证的请求:
$ git clone https://:@ el2-gitlab.sa.c / kkm / GrammarTools.git kerbtest
克隆到'kerbtest '...
*在_netrc文件中找不到主机el2-gitlab.sa.c;使用默认值
> GET /kkm/GrammarTools.git/info/refs?service=git-upload-pack HTTP / 1.1
Host:el2-gitlab.sa.c
User-Agent:git / 2.5.1.windows .1
< HTTP / 1.1 401未授权
<状态:401未授权
< Www-Authenticate:Basic realm =
< Www-Authenticate:协商
*连接#0到主机el2-gitlab.sa.c保持原样
*发出另一个请求到这个URL:'https://:@ el2-gitlab.sa.c /kkm/GrammarTools.git/info/refs?service=git-upload-pack'
*在_netrc文件中找不到主机el2-gitlab.sa.c;使用默认值
> GET /kkm/GrammarTools.git/info/refs?service=git-upload-pack HTTP / 1.1
Host:el2-gitlab.sa.c
User-Agent:git / 2.5.1.windows .1
< HTTP / 1.1 401未授权
<状态:401未授权
< Www-Authenticate:Basic realm =
< Www-Authenticate:协商
<
*发出另一个请求到这个URL:'https://:@ el2-gitlab.sa.c / kkm / GrammarTools.git / info / refs?service = git-upload-pack'
*在_netrc文件中找不到主机el2-gitlab.sa.c;使用默认值
> GET /kkm/GrammarTools.git/info/refs?service=git-upload-pack HTTP / 1.1
主机:el2-gitlab.sa.c
授权:协商YIIGtg [.... trimmed。 ..]
User-Agent:git / 2.5.1.windows.1
< HTTP / 1.1 200 OK
应该缓解该问题,并在http身份验证期间强制使用空的用户名和密码: commit 121061f (2016年2月15日)作者:布赖恩米carlson( bk2204 )。
(由 Junio C Hamano - gitster - 在提交65ba75b ,2016年2月24日)
$ b
http:添加选项以尝试不使用用户名进行身份验证
使用Kerberos执行GSS协商身份验证不需要指定用户名或密码,因为这些信息已经包含在票据本身中
。
但是,如果没有提供,libcurl 拒绝执行认证用户名和密码。
添加一个选项
http.emptyAuth,它提供libcurl,并使用空的用户名和密码进行身份验证。
git config 文档会提及:
http.emptyAuth:
尝试验证而不寻求用户名或密码。
这可以用于尝试GSS-协商身份验证而不在URL中指定用户名,因为libcurl通常需要用户名进行身份验证。
Git 2.10.2(2016年10月)将改善这种状况。
请参阅 commit 5275c30 (2016年10月4日)作者: David Turner( csusbdt )。
(由 Junio C Hamano - gitster - commit c6400bf ,2016年10月17日)
http:http://www.emptyauth 应该允许为空(不仅仅是NULL)用户名
当使用Kerberos身份验证和更新版本的libcurl时,
CURLOPT_USERPWD必须设置为一个值,即使它是一个空值。
该值永远不会发送到服务器。
以前版本的libcurl不需要设置此变量。
某些用户表示空白用户名/密码是http://:@:gitserver.example.com,其中http.emptyauth旨在支持。<
另一个等效URL是http://@gitserver.example.com。
后者导致用户名为零长度,而不是NULL用户名,但仍需要设置CURLOPT_USERPWD(如果设置http.emptyauth)。
这样做。
当服务器仅支持单一认证方法时,Git 2.13(2017年第2季度)将减少HTTP上的身份验证。
请参阅提交40a18fc (2017年2月25日)和 commit 840398f (2017年2月22日)作者:杰夫King( peff )。
帮助: Johannes Schindelin( dscho )。
(由 Junio C Hamano - gitster - 位于 commit 92718f5 ,2017年3月10日)
$ b
http:为http.emptyauth 添加一个autocode
$ b需要指定这个变量(
http.emptyauth)来创建某些类型的非 - 基本的身份验证工作,但理想情况下,这只是为所有人开箱即用。
然而,只需settintin将它设为
1默认情况下,对于不是的情况会引入额外的往返行程。我们最终发送了一个虚假的服务器拒绝的凭证。
auto模式应该可以使用它,而不会产生任何额外的
为只有基本服务器的用户进行双向往返。
Summary: I am using Git for Windows 2.5.1 to authenticate with a Kerbesized Git server. When I am using the URL in the form https://el2-gitlab.sa.c/kkm/GrammarTools.git, Git does not even attempt the Negotiate authentication, and asks for the user name and password. A workarouond to force Git to use SPNEGO is to provide empty username and password in the URL itself, as in https://:@el2-gitlab.sa.c/kkm/GrammarTools.git. In this case, Git happily authenticates with the existing Kerberos ticket.
Can I configure Git to try SPNEGO without tweaking the remote URL?
More details. I spent quite a time trying to solve the problem. First I tried giving an empty user name in .gitconfig, but to no avail:
[credential "https://el2-gitlab.sa.c"]
username = ''
Not once I came across questions on a reverse problem, when Git refused to revert to Basic after trying and failing Negotiate, but the behavior is confirmed to have changed in 2.3.1.
Responding to the prompts with the empty username and password does not help, contrary to some suggestions I could find on SO (but they may pre-date version 2.3.1).
Finally, verbose libcurl output (abridged here) shows that Git indeed attempts Basic authentication and forgoes Negotiate altogether:
$ export GIT_CURL_VERBOSE=1
$ git clone https://el2-gitlab.sa.c/kkm/GrammarTools.git kerbtest
Cloning into 'kerbtest'...
* Couldn't find host el2-gitlab.sa.c in the _netrc file; using defaults
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> GET /kkm/GrammarTools.git/info/refs?service=git-upload-pack HTTP/1.1
Host: el2-gitlab.sa.c
User-Agent: git/2.5.1.windows.1
< HTTP/1.1 401 Unauthorized
< Status: 401 Unauthorized
< Www-Authenticate: Basic realm=""
< Www-Authenticate: Negotiate
<
* Connection #0 to host el2-gitlab.sa.c left intact
Username for 'https://el2-gitlab.sa.c':
Also may be of interest is that the Git client retries the unauthenticated request on a 401 for the second time before responding with the ticket:
$ git clone https://:@el2-gitlab.sa.c/kkm/GrammarTools.git kerbtest
Cloning into 'kerbtest'...
* Couldn't find host el2-gitlab.sa.c in the _netrc file; using defaults
> GET /kkm/GrammarTools.git/info/refs?service=git-upload-pack HTTP/1.1
Host: el2-gitlab.sa.c
User-Agent: git/2.5.1.windows.1
< HTTP/1.1 401 Unauthorized
< Status: 401 Unauthorized
< Www-Authenticate: Basic realm=""
< Www-Authenticate: Negotiate
* Connection #0 to host el2-gitlab.sa.c left intact
* Issue another request to this URL: 'https://:@el2-gitlab.sa.c/kkm/GrammarTools.git/info/refs?service=git-upload-pack'
* Couldn't find host el2-gitlab.sa.c in the _netrc file; using defaults
> GET /kkm/GrammarTools.git/info/refs?service=git-upload-pack HTTP/1.1
Host: el2-gitlab.sa.c
User-Agent: git/2.5.1.windows.1
< HTTP/1.1 401 Unauthorized
< Status: 401 Unauthorized
< Www-Authenticate: Basic realm=""
< Www-Authenticate: Negotiate
<
* Issue another request to this URL: 'https://:@el2-gitlab.sa.c/kkm/GrammarTools.git/info/refs?service=git-upload-pack'
* Couldn't find host el2-gitlab.sa.c in the _netrc file; using defaults
> GET /kkm/GrammarTools.git/info/refs?service=git-upload-pack HTTP/1.1
Host: el2-gitlab.sa.c
Authorization: Negotiate YIIGtg[ .... trimmed ... ]
User-Agent: git/2.5.1.windows.1
< HTTP/1.1 200 OK
git 2.8 (March 2016) should alleviate that issue and force an empty username and password during http authentication:
See commit 121061f (15 Feb 2016) by brian m. carlson (bk2204).
(Merged by Junio C Hamano -- gitster -- in commit 65ba75b, 24 Feb 2016)
http: add option to try authentication without usernamePerforming GSS-Negotiate authentication using Kerberos does not require specifying a username or password, since that information is already included in the ticket itself.
However,libcurlrefuses to perform authentication if it has not been provided with a username and password.Add an option,
http.emptyAuth, that provideslibcurlwith an empty username and password to make it attempt authentication anyway.
The git config documentation will mention:
http.emptyAuth:
Attempt authentication without seeking a username or password.
This can be used to attempt GSS-Negotiate authentication without specifying a username in the URL, aslibcurlnormally requires a username for authentication.
Git 2.10.2 (Octobre 2016) will improve that.
See commit 5275c30 (04 Oct 2016) by David Turner (csusbdt).
(Merged by Junio C Hamano -- gitster -- in commit c6400bf, 17 Oct 2016)
http: http.emptyauthshould allow empty (not just NULL) usernamesWhen using Kerberos authentication with newer versions of libcurl,
CURLOPT_USERPWDmust be set to a value, even if it is an empty value. The value is never sent to the server.
Previous versions of libcurl did not require this variable to be set.
One way that some users express the empty username/password ishttp://:@gitserver.example.com, whichhttp.emptyauthwas designed to support.
Another, equivalent, URL ishttp://@gitserver.example.com.
The latter leads to a username of zero-length, rather than aNULLusername, butCURLOPT_USERPWDstill needs to be set (ifhttp.emptyauthis set).
Do so.
Git 2.13 (Q2 2017) will reduce authentication round-trip over HTTP when the server supports just a single authentication method.
See commit 40a18fc (25 Feb 2017), and commit 840398f (22 Feb 2017) by Jeff King (peff).
Helped-by: Johannes Schindelin (dscho).
(Merged by Junio C Hamano -- gitster -- in commit 92718f5, 10 Mar 2017)
http: add an "auto" mode forhttp.emptyauthThis variable (
http.emptyauth) needs to be specified to make some types of non-basic authentication work, but ideally this would just work out of the box for everyone.However, simply setting it to "
1" by default introduces an extra round-trip for cases where it isn't useful. We end up sending a bogus empty credential that the server rejects.The "auto" mode should make it work out of the box, without incurring any extra round-trips for people hitting Basic-only servers.
这篇关于如何强制Git(2.5+)HTTP传输比基本身份验证更喜欢SPNEGO?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
