Kerberos-based HTTP authentication support planed?

Ezra.Smith at bentley.com Ezra.Smith at bentley.com
Fri Mar 28 09:02:16 CDT 2008


It gets tricky with some authentication schemes, though. I tried adding
support for NTLM authentication a while back, but:

    (a) urllib2 (which Mercurial uses when negotiating the initial
connection) doesn't support persistent HTTP connections

    (b) a bunch of 401 "Unauthorized" messages are a necessary part of
the NTLM handshake

Using the persistent HTTP code from urlgrabber (which I believe
Mercurial uses for its actual repository transfers over HTTP) helps with
(a), but urllib2's error handling mechanism still likes to close
connections all the time, which makes (b) hard to solve. It ends up
going like this:


Me: Hi server, I'd like to access you!

Server: 401. Unauthorized. Pick an auth method from: NTLM, Digest, etc.
*resets connection*

Me: Hi, I'd like to access you, and I pick NTLM.

Server: 401. Unauthorized, but I accept your NTLM request. Here's a
nonce for you to encode. *resets connection*

Me: Hi, I have the nonce you asked for. Can I access you now?

Server: 401. Nonce? I never gave you a nonce. Who are you, anyway?
*resets connection*



-----Original Message-----
From: mercurial-bounces at selenic.com
[mailto:mercurial-bounces at selenic.com] On Behalf Of Dirkjan Ochtman
Sent: Friday, March 28, 2008 9:40 AM
To: mercurial at selenic.com
Subject: Re: Kerberos-based HTTP authentication support planed?

Martin Scholl wrote:
> we would like to use kerberized authentication for publishing our
> mercurial repositories "passwordless" via http. Currently this seems
> unsupported by mercurial. Are there any plans to support such a setup?

Currently, I don't think Mercurial has any authentication built-in to 
the web server. Generally, it works best to access the Mercurial web 
interface through another HTTP server (for instance, using the mod_wsgi 
module to serve it from Apache, or using CGI or FCGI). That way, you 
should also be able to use any authentication infrastructure available 
for your webserver software of choice.

Cheers,

Dirkjan

_______________________________________________
Mercurial mailing list
Mercurial at selenic.com
http://selenic.com/mailman/listinfo/mercurial



More information about the Mercurial mailing list