From ef976395e26a25fb6d048d859a1c8cddb2640b9a Mon Sep 17 00:00:00 2001 From: Knut Franke Date: Tue, 26 Jan 2016 13:02:47 +0000 Subject: http: allow selection of proxy authentication method CURLAUTH_ANY does not work with proxies which answer unauthenticated requests with a 307 redirect to an error page instead of a 407 listing supported authentication methods. Therefore, allow the authentication method to be set using the environment variable GIT_HTTP_PROXY_AUTHMETHOD or configuration variables http.proxyAuthmethod and remote..proxyAuthmethod (in analogy to http.proxy and remote..proxy). The following values are supported: * anyauth (default) * basic * digest * negotiate * ntlm Signed-off-by: Knut Franke Signed-off-by: Elia Pinto Helped-by: Junio C Hamano Helped-by: Eric Sunshine Helped-by: Elia Pinto Signed-off-by: Junio C Hamano --- Documentation/config.txt | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'Documentation/config.txt') diff --git a/Documentation/config.txt b/Documentation/config.txt index f61788668e..a6c3d0fa50 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1600,6 +1600,27 @@ http.proxy:: `curl(1)`). This can be overridden on a per-remote basis; see remote..proxy +http.proxyAuthMethod:: + Set the method with which to authenticate against the HTTP proxy. This + only takes effect if the configured proxy string contains a user name part + (i.e. is of the form 'user@host' or 'user@host:port'). This can be + overridden on a per-remote basis; see `remote..proxyAuthMethod`. + Both can be overridden by the 'GIT_HTTP_PROXY_AUTHMETHOD' environment + variable. Possible values are: ++ +-- +* `anyauth` - Automatically pick a suitable authentication method. It is + assumed that the proxy answers an unauthenticated request with a 407 + status code and one or more Proxy-authenticate headers with supported + authentication methods. This is the default. +* `basic` - HTTP Basic authentication +* `digest` - HTTP Digest authentication; this prevents the password from being + transmitted to the proxy in clear text +* `negotiate` - GSS-Negotiate authentication (compare the --negotiate option + of `curl(1)`) +* `ntlm` - NTLM authentication (compare the --ntlm option of `curl(1)`) +-- + http.cookieFile:: File containing previously stored cookie lines which should be used in the Git http session, if they match the server. The file format @@ -2407,6 +2428,11 @@ remote..proxy:: the proxy to use for that remote. Set to the empty string to disable proxying for that remote. +remote..proxyAuthMethod:: + For remotes that require curl (http, https and ftp), the method to use for + authenticating against the proxy in use (probably set in + `remote..proxy`). See `http.proxyAuthMethod`. + remote..fetch:: The default set of "refspec" for linkgit:git-fetch[1]. See linkgit:git-fetch[1]. -- cgit v1.2.1 From 372370f1675c2b935fb703665358dd5567641107 Mon Sep 17 00:00:00 2001 From: Knut Franke Date: Tue, 26 Jan 2016 13:02:48 +0000 Subject: http: use credential API to handle proxy authentication Currently, the only way to pass proxy credentials to curl is by including them in the proxy URL. Usually, this means they will end up on disk unencrypted, one way or another (by inclusion in ~/.gitconfig, shell profile or history). Since proxy authentication often uses a domain user, credentials can be security sensitive; therefore, a safer way of passing credentials is desirable. If the configured proxy contains a username but not a password, query the credential API for one. Also, make sure we approve/reject proxy credentials properly. For consistency reasons, add parsing of http_proxy/https_proxy/all_proxy environment variables, which would otherwise be evaluated as a fallback by curl. Without this, we would have different semantics for git configuration and environment variables. Helped-by: Junio C Hamano Helped-by: Eric Sunshine Helped-by: Elia Pinto Signed-off-by: Knut Franke Signed-off-by: Elia Pinto Signed-off-by: Junio C Hamano --- Documentation/config.txt | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'Documentation/config.txt') diff --git a/Documentation/config.txt b/Documentation/config.txt index a6c3d0fa50..8b969497ba 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1596,9 +1596,13 @@ help.htmlPath:: http.proxy:: Override the HTTP proxy, normally configured using the 'http_proxy', - 'https_proxy', and 'all_proxy' environment variables (see - `curl(1)`). This can be overridden on a per-remote basis; see - remote..proxy + 'https_proxy', and 'all_proxy' environment variables (see `curl(1)`). In + addition to the syntax understood by curl, it is possible to specify a + proxy string with a user name but no password, in which case git will + attempt to acquire one in the same way it does for other credentials. See + linkgit:gitcredentials[7] for more information. The syntax thus is + '[protocol://][user[:password]@]proxyhost[:port]'. This can be overridden + on a per-remote basis; see remote..proxy http.proxyAuthMethod:: Set the method with which to authenticate against the HTTP proxy. This -- cgit v1.2.1