Bazaar

build windows distribution with SSPI support (pycurl related)

Bug #244435 reported by anatoly techtonik
6
Affects Status Importance Assigned to Milestone
Bazaar
Confirmed
Low
Unassigned
PycURL
New
Undecided
Unassigned

Bug Description

Windows binaries (at least for bzr-1.5) are distributed without SSPI support in pycurl library. SSPI allows using domain login/pass for authentication against domain proxies without entering credentials explicitly. At present these credentials should be set in HTTP_PROXY environment variable in order to authenticate properly that imposes a great security risk.

Modification require building SSPI into pycurl and allowing empty username and pasword to be specified in proxy configuration (as equvalent to "-U :" command line curl option).

Revision history for this message
Mark Hammond (mhammond) wrote :

I'm not sure how relevant this is yet - but pywin32 supports SSPI authentication. Hooking it into urllib, or into existing "auth hooks" that may have been provided will probably be a challenge, but not impossible.

Revision history for this message
Vincent Ladeuil (vila) wrote : Re: [Bug 244435] Re: build windows distribution with SSPI support (pycurl related)

>>>>> "Mark" == Mark Hammond <email address hidden> writes:

    Mark> I'm not sure how relevant this is yet - but pywin32 supports SSPI
    Mark> authentication. Hooking it into urllib, or into existing "auth hooks"
    Mark> that may have been provided will probably be a challenge, but not
    Mark> impossible.

This is *totally* relevant.

I'll get in touch with you as soon as I get some available time
to fix this bug.

Thanks a ton for the hint.

Revision history for this message
Mark Hammond (mhammond) wrote : RE: [Bug 244435] Re: build windows distribution with SSPI support (pycurl related)

I'm pretty familiar with the sspi auth stuff, so please let me know if I can help, even if just with general advice...

Cheers,

Mark

> -----Original Message-----
> From: <email address hidden> [mailto:<email address hidden>] On Behalf Of
> vila
> Sent: Thursday, 10 July 2008 11:29 AM
> To: <email address hidden>
> Subject: Re: [Bug 244435] Re: build windows distribution with SSPI
> support (pycurl related)
>
> >>>>> "Mark" == Mark Hammond <email address hidden> writes:
>
> Mark> I'm not sure how relevant this is yet - but pywin32 supports
> SSPI
> Mark> authentication. Hooking it into urllib, or into existing
> "auth hooks"
> Mark> that may have been provided will probably be a challenge, but
> not
> Mark> impossible.
>
> This is *totally* relevant.
>
> I'll get in touch with you as soon as I get some available time
> to fix this bug.
>
> Thanks a ton for the hint.
>
> --
> build windows distribution with SSPI support (pycurl related)
> https://bugs.launchpad.net/bugs/244435
> You received this bug notification because you are a direct subscriber
> of the bug.

Vincent Ladeuil (vila)
Changed in bzr:
importance: Undecided → Low
status: New → Triaged
Revision history for this message
anatoly techtonik (techtonik) wrote :

It would be just great if you can help patch build system for PycURL to include SSPI support. I guess ASYNCHDNS, SPNEGO and GSSNEGOTIATE options won't hurt too. Attached script helps check what options PycURL was compiled with.

For my win2000 with python 2.5 and PycURL 7.18.2 (latest available binary)

libcurl/7.18.2 OpenSSL/0.9.8h zlib/1.2.3
Enabled libcurl features:
   4 CURL_VERSION_SSL - SSL options are present
   8 CURL_VERSION_LIBZ - libz features are present
  16 CURL_VERSION_NTLM - NTLM auth is supported
 512 CURL_VERSION_LARGEFILE - supports files bigger than 2GB

Disabled libcurl features:
   1 CURL_VERSION_IPV6 - IPv6-disabled
   2 CURL_VERSION_KERBEROS4 - kerberos auth is not supported
  32 CURL_VERSION_GSSNEGOTIATE - no Negotiate auth support
  64 CURL_VERSION_DEBUG - built without debug capabilities
 128 CURL_VERSION_ASYNCHDNS - no asynchronous dns resolves
 256 CURL_VERSION_SPNEGO - no SPNEGO auth
1024 CURL_VERSION_IDN - no International Domain Names support
2048 CURL_VERSION_SSPI - SSPI is not supported
4096 CURL_VERSION_CONV - character conversions are not supported

Martin Pool (mbp)
security vulnerability: yes → no
Martin Pool (mbp)
Changed in bzr:
status: Triaged → Confirmed
Jelmer Vernooij (jelmer)
tags: added: check-for-breezy
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.