kkm kkm - 1 month ago 18
Git Question

How to force Git (2.5+) HTTP transport prefer SPNEGO over Basic authentication?

Summary: I am using Git for Windows 2.5.1 to authenticate with a Kerbesized Git server. When I am using the URL in the form

https://el2-gitlab.sa.c/kkm/GrammarTools.git
, Git does not even attempt the Negotiate authentication, and asks for the user name and password. A workarouond to force Git to use SPNEGO is to provide empty username and password in the URL itself, as in
https://:@el2-gitlab.sa.c/kkm/GrammarTools.git
. In this case, Git happily authenticates with the existing Kerberos ticket.

Can I configure Git to try SPNEGO without tweaking the remote URL?

More details. I spent quite a time trying to solve the problem. First I tried giving an empty user name in .gitconfig, but to no avail:

[credential "https://el2-gitlab.sa.c"]
username = ''


Not once I came across questions on a reverse problem, when Git refused to revert to Basic after trying and failing Negotiate, but the behavior is confirmed to have changed in 2.3.1.

Responding to the prompts with the empty username and password does not help, contrary to some suggestions I could find on SO (but they may pre-date version 2.3.1).

Finally, verbose libcurl output (abridged here) shows that Git indeed attempts Basic authentication and forgoes Negotiate altogether:

$ export GIT_CURL_VERBOSE=1
$ git clone https://el2-gitlab.sa.c/kkm/GrammarTools.git kerbtest
Cloning into 'kerbtest'...
* Couldn't find host el2-gitlab.sa.c in the _netrc file; using defaults
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> GET /kkm/GrammarTools.git/info/refs?service=git-upload-pack HTTP/1.1
Host: el2-gitlab.sa.c
User-Agent: git/2.5.1.windows.1

< HTTP/1.1 401 Unauthorized
< Status: 401 Unauthorized
< Www-Authenticate: Basic realm=""
< Www-Authenticate: Negotiate
<
* Connection #0 to host el2-gitlab.sa.c left intact
Username for 'https://el2-gitlab.sa.c':


Also may be of interest is that the Git client retries the unauthenticated request on a 401 for the second time before responding with the ticket:

$ git clone https://:@el2-gitlab.sa.c/kkm/GrammarTools.git kerbtest
Cloning into 'kerbtest'...
* Couldn't find host el2-gitlab.sa.c in the _netrc file; using defaults
> GET /kkm/GrammarTools.git/info/refs?service=git-upload-pack HTTP/1.1
Host: el2-gitlab.sa.c
User-Agent: git/2.5.1.windows.1

< HTTP/1.1 401 Unauthorized
< Status: 401 Unauthorized
< Www-Authenticate: Basic realm=""
< Www-Authenticate: Negotiate
* Connection #0 to host el2-gitlab.sa.c left intact
* Issue another request to this URL: 'https://:@el2-gitlab.sa.c/kkm/GrammarTools.git/info/refs?service=git-upload-pack'
* Couldn't find host el2-gitlab.sa.c in the _netrc file; using defaults
> GET /kkm/GrammarTools.git/info/refs?service=git-upload-pack HTTP/1.1
Host: el2-gitlab.sa.c
User-Agent: git/2.5.1.windows.1

< HTTP/1.1 401 Unauthorized
< Status: 401 Unauthorized
< Www-Authenticate: Basic realm=""
< Www-Authenticate: Negotiate
<
* Issue another request to this URL: 'https://:@el2-gitlab.sa.c/kkm/GrammarTools.git/info/refs?service=git-upload-pack'
* Couldn't find host el2-gitlab.sa.c in the _netrc file; using defaults
> GET /kkm/GrammarTools.git/info/refs?service=git-upload-pack HTTP/1.1
Host: el2-gitlab.sa.c
Authorization: Negotiate YIIGtg[ .... trimmed ... ]
User-Agent: git/2.5.1.windows.1

< HTTP/1.1 200 OK

kkm kkm
Answer

With most of the credit going to @Michael-O in the discussion under his answer to this question, I believe the final straightforward solution for the problem should be posted in the interest of the SO community.

The workaround to the known bug in libcurl that Michael mentioned is to create a file ~/.netrc (original libcurl) or ~/_netrc (Git for Windows 2.5+ port, based on MSys2). The file should provide an empty username and password for the Kerberized Git server host. Since the host matching is exact, include both the short and fully-qualified DNS names and possible aliases if any, for example,

machine gitlab.acme.com username '' password ''
machine gitlab          username '' password ''

If everything is right, the line that you see in the original question logs

* Couldn't find host el2-gitlab.sa.c in the _netrc file; using defaults

should no longer be printed, and Negotiation authentication with user's Kerberos ticket should be used.