[Yum-devel] [PATCH] allow users to tweak PROXYAUTH settings. BZ 769254
Zdenek Pavlas
zpavlas at redhat.com
Fri Jun 29 07:57:06 UTC 2012
> Is there any way we can fix it, or could we just disable ntlm until
> 835869 is fixed?
This is not (directly) related to NTLM. Curl prefers GSSNEGOTIATE
over NTLM and BASIC, so decides to try that first. If it can't find
a ticket in /tmp, it fails as though the authentication has been
attempted and has failed (or retries the request without any auth
header added, depending on curl version).
- self.curl_obj.setopt(pycurl.PROXYAUTH, pycurl.HTTPAUTH_ANY)
+ self.curl_obj.setopt(pycurl.PROXYAUTH, pycurl.HTTPAUTH_ANY-pycurl.HTTPAUTH_GSSNEGOTIATE)
This is reported to fix the problem, and NTLM is still supported, but:
1) no way to ever use kerberos
2) no way to enable only one auth scheme and save the 1st request
3) can't disable BASIC (security)
I'm okay with both solutions (proxy_auth env var, or disabling
kerberos the hard way). 3rd option is adding an urlgrabber + yum
option to yum.conf, but that feels an overkill to me.
> > Enabling >1 schemes results in small extra overhead
>
> I assume small here means "not really measurable"?
One extra HTTP request/response, but that's on LAN, no big deal.
It might still be desirable to be able to enable BASIC only,
because a broken proxy might return wrong or no 407 replies.
> (Eg. yum works, except yum-cron doesn't ... and repoquery
> also doesn't work).
Can imagine that..
More information about the Yum-devel
mailing list