Re: [Bug-wget] wget 1.11.4 can no longer authenticate using NTLM for IIS

[Micah Cowan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bryan Hoffpauir wrote:
> Micah, I noticed you posted your announcement on your new job -
> congratulations!  I certainly hope you are able to sort out the
> issues surrounding the code and your ability to participate.

I'm pretty sure it'll all work out (I sure hope!), but in the meantime
I'm stuck with having to refrain from coding from the 17th, until it's
resolved.

> I'm interested in learning more about assisting with maintaining.
> I'm not that experienced in this side of the OSS world, so I couldn't
> offer to take over maintaining, but I'm open to assisting and
> learning more.

Excellent! Help is definitely very much appreciated.

> I'd like to use my current issue to get my feet wet with this
> process.  You mentioned in your earlier post on the list that you
> thought some recent changes you had pushed through to make sure wget
> didn't issue cleartext authentication unless it received a challenge
> to do so may be the culprit.
> 
> I would be happy to assist troubleshooting.  I don't have a NTLM
> server that is available to the public right now.  If needed, I may
> be able to set one up.
> 
> Alternatively, if you could give me some details on your thoughts
> about the cleartext changes that may have affected it and what might
> correct it, I could compile and test the changes in my lab and share
> the results with you.

Okay. One of the first things I was struck by when I took on the
maintainer's mantle for Wget was that it always issues
cleartext-recoverable, HTTP Basic authentication without waiting for a
challenge, which if you're not running in a secure tunnel (SSL) is a
security problem (and in violation of current RFCs).

I actually mentioned this issue first in my "New wget maintainer"
announcement, in June of 2007:
http://article.gmane.org/gmane.comp.web.wget.general/6692; most of the
rest of the thread related to that was renamed "Basic auth by default".

I later followed this with a post entitled "HTTP Auth: Past, Present &
Future": http://article.gmane.org/gmane.comp.web.wget.general/6861
The "How it should work" section is still not quite finished yet, though
Julien Buty did some good work in that direction (Wget _does_ now
support password "asking" at the terminal). My hope was to have that
section implemented for 1.12, but I may decide to punt it for 1.13, so
we can polish the current implementation some more.

The authentication fixes for 1.11 are at
http://hg.addictivecode.org/wget/mainline/rev/963e690d3041

A further change was introduced at
http://hg.addictivecode.org/wget/mainline/rev/cff5d917155e to allow the
old behavior to be used when needed.

I suspect that a close look at the code will reveal to me where the
"thinko" is where NTLM is concerned; I just need to set aside some time
to peer around there.

- --
Micah J. Cowan
Programmer, musician, typesetting enthusiast, gamer.
GNU Maintainer: wget, screen, teseq
http://micah.cowan.name/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJE1A27M8hyUobTrERAjYHAJoDdq35LaeHave60xNanZ1dZayfkQCdFWkQ
x1SomzpmPi04sj3cCFcvZA0=
=SnpH
-----END PGP SIGNATURE-----