[Yum-devel] [PATCH] allow users to tweak PROXYAUTH settings. BZ 769254
James Antill
james at fedoraproject.org
Fri Jun 29 15:19:37 UTC 2012
On Fri, 2012-06-29 at 03:57 -0400, Zdenek Pavlas wrote:
> > Is there any way we can fix it, or could we just disable ntlm until
> > 835869 is fixed?
>
> This is not (directly) related to NTLM. Curl prefers GSSNEGOTIATE
> over NTLM and BASIC, so decides to try that first. If it can't find
> a ticket in /tmp, it fails as though the authentication has been
> attempted and has failed (or retries the request without any auth
> header added, depending on curl version).
>
> - self.curl_obj.setopt(pycurl.PROXYAUTH, pycurl.HTTPAUTH_ANY)
> + self.curl_obj.setopt(pycurl.PROXYAUTH, pycurl.HTTPAUTH_ANY-pycurl.HTTPAUTH_GSSNEGOTIATE)
>
> This is reported to fix the problem, and NTLM is still supported, but:
Cool.
> 1) no way to ever use kerberos
Not sure I see the problem :). I mean we never have supported it,
right?
> 2) no way to enable only one auth scheme and save the 1st request
> 3) can't disable BASIC (security)
>
> I'm okay with both solutions (proxy_auth env var, or disabling
> kerberos the hard way). 3rd option is adding an urlgrabber + yum
> option to yum.conf, but that feels an overkill to me.
It feels like nobody would care if we just disable kerberos, and
probably 0.001% of users will use any configuration if you add it. So
I'd just go with the easiest thing and wait for someone to complain :).
> > > Enabling >1 schemes results in small extra overhead
> >
> > I assume small here means "not really measurable"?
>
> One extra HTTP request/response, but that's on LAN, no big deal.
> It might still be desirable to be able to enable BASIC only,
> because a broken proxy might return wrong or no 407 replies.
*nods*, it's possible but I'd expect most things to get the 407 reply
correct ... we can always look at it again if some major vendor's
firewall/proxy/whatever does the wrong thing.
More information about the Yum-devel
mailing list