Kerberos-based HTTP authentication support planed?
Ezra.Smith at bentley.com
Ezra.Smith at bentley.com
Fri Mar 28 09:02:16 CDT 2008
It gets tricky with some authentication schemes, though. I tried adding
support for NTLM authentication a while back, but:
(a) urllib2 (which Mercurial uses when negotiating the initial
connection) doesn't support persistent HTTP connections
(b) a bunch of 401 "Unauthorized" messages are a necessary part of
the NTLM handshake
Using the persistent HTTP code from urlgrabber (which I believe
Mercurial uses for its actual repository transfers over HTTP) helps with
(a), but urllib2's error handling mechanism still likes to close
connections all the time, which makes (b) hard to solve. It ends up
going like this:
Me: Hi server, I'd like to access you!
Server: 401. Unauthorized. Pick an auth method from: NTLM, Digest, etc.
*resets connection*
Me: Hi, I'd like to access you, and I pick NTLM.
Server: 401. Unauthorized, but I accept your NTLM request. Here's a
nonce for you to encode. *resets connection*
Me: Hi, I have the nonce you asked for. Can I access you now?
Server: 401. Nonce? I never gave you a nonce. Who are you, anyway?
*resets connection*
-----Original Message-----
From: mercurial-bounces at selenic.com
[mailto:mercurial-bounces at selenic.com] On Behalf Of Dirkjan Ochtman
Sent: Friday, March 28, 2008 9:40 AM
To: mercurial at selenic.com
Subject: Re: Kerberos-based HTTP authentication support planed?
Martin Scholl wrote:
> we would like to use kerberized authentication for publishing our
> mercurial repositories "passwordless" via http. Currently this seems
> unsupported by mercurial. Are there any plans to support such a setup?
Currently, I don't think Mercurial has any authentication built-in to
the web server. Generally, it works best to access the Mercurial web
interface through another HTTP server (for instance, using the mod_wsgi
module to serve it from Apache, or using CGI or FCGI). That way, you
should also be able to use any authentication infrastructure available
for your webserver software of choice.
Cheers,
Dirkjan
_______________________________________________
Mercurial mailing list
Mercurial at selenic.com
http://selenic.com/mailman/listinfo/mercurial
More information about the Mercurial
mailing list