[Yum-devel] [PATCH] allow users to tweak PROXYAUTH settings. BZ 769254

Zdenek Pavlas zpavlas at redhat.com
Fri Jun 29 07:57:06 UTC 2012


>  Is there any way we can fix it, or could we just disable ntlm until
> 835869 is fixed?

This is not (directly) related to NTLM.  Curl prefers GSSNEGOTIATE
over NTLM and BASIC, so decides to try that first.  If it can't find
a ticket in /tmp, it fails as though the authentication has been
attempted and has failed (or retries the request without any auth
header added, depending on curl version).

- self.curl_obj.setopt(pycurl.PROXYAUTH, pycurl.HTTPAUTH_ANY)
+ self.curl_obj.setopt(pycurl.PROXYAUTH, pycurl.HTTPAUTH_ANY-pycurl.HTTPAUTH_GSSNEGOTIATE)

This is reported to fix the problem, and NTLM is still supported, but:

1) no way to ever use kerberos
2) no way to enable only one auth scheme and save the 1st request
3) can't disable BASIC (security)

I'm okay with both solutions (proxy_auth env var, or disabling
kerberos the hard way).  3rd option is adding an urlgrabber + yum
option to yum.conf, but that feels an overkill to me.

> > Enabling >1 schemes results in small extra overhead
> 
>  I assume small here means "not really measurable"?

One extra HTTP request/response, but that's on LAN, no big deal.
It might still be desirable to be able to enable BASIC only,
because a broken proxy might return wrong or no 407 replies.

> (Eg. yum works, except yum-cron doesn't ... and repoquery
> also doesn't work).

Can imagine that..


More information about the Yum-devel mailing list