Re: Proxy authentication with Negotiate uses wrong host

On Tue, Aug 23, 2011 at 10:47:35PM +0200, Michael-O wrote:
> I made some digging in the subversion and neon code and notices some
> interesting and odd stuff.
>
> If you take a look at the aforementioned session.c in line 865 [1]
> you'll see that the code is correct, Negotiate auth is added if no
> proxy_username is set. So my assumption was correct. It should work
> out-of-the box.

Yes, you're right. It seems I misread this and didn't notice
the 'else' part which also enables Negotiate auth. Sorry.

> Digging deeper into that file shows that Negotiate auth for servers
> (not proxy servers) is done only when the server is servered with
> HTTPS [2].

Having taken a brief glance it looks as if you can override this
via the http-auth-types option in ~/.subversion/servers.
Have you tried that?

> I took a look back at neon_auth.h (define
> NE_AUTH_NEGOTIATE) [3] and it constantly says that Digest and
> Negotiate are unsecure and require a secure connection which is
> complete non-sense. Kerberos was designed to provide security in
> unsecure networks. This is definitively wrong documentation.

Not sure if this documentation is generally wrong.
It can depend on what kinds of assumptions people make about security.
Please verify this question with the neon devs.
Received on 2011-08-23 23:41:03 CEST