You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Hyrum K Wright <hy...@wandisco.com> on 2011/11/10 01:50:35 UTC
Caching just the username for authn
Somebody approached me a few minutes ago at ApacheCon and posed the
following question:
"The username on my local box is different than my username on the server,
and I don't want to cache passwords. How can I cache just the username?"
It turns out I didn't have a good answer for him, aside from the ability
to put '--username $FOO' on the command line. Sander looked into the
config file and it turns out we don't have a configuration option which
users can set, either in a global context, or on a per-server scenario.
Before I run and file a bug on this, I'd like to make sure I'm not missing
something terribly obvious. Am I?
-Hyrum
--
uberSVN: Apache Subversion Made Easy
http://www.uberSVN.com/
Re: Caching just the username for authn
Posted by Hyrum K Wright <hy...@wandisco.com>.
On Fri, Nov 11, 2011 at 6:27 AM, C. Michael Pilato <cm...@collab.net>wrote:
> On 11/10/2011 04:48 PM, Hyrum K Wright wrote:
> > The user I was talking to actually tried the above user@server syntax,
> but
> > with https (which didn't work as he expected).
>
> I tried this recently, too, and was rather surprised to find that it didn't
> do what I expected. Of course, if you're going to embed the username in
> the
> command line, you can just as easily do so with "--username USERNAME".
True, and that's what I suggested as a workaround, but you'd still have to
use --username with every command line invocation, whereas switching to a
user@server URL is something that happens just once.
FYI, I followed up with the user in question, and the store-password=no
solution worked.
-Hyrum
--
uberSVN: Apache Subversion Made Easy
http://www.uberSVN.com/
Re: Caching just the username for authn
Posted by Branko Čibej <br...@xbc.nu>.
On 12.11.2011 20:34, Konstantin Kolinko wrote:
> Regarding user:passwd@host syntax it us up to browser how to interpret the URL.
> If browser cannot interpret username and password in the URL it is
> just browser's thing.
It is not up to the browser at all. See RFC-2616 (HTTP 1.1), section 3.2.2:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2
It does not mention username or password anywhere. I think people tend
to confuse http:// with ftp://, which does allow embedding the username
and password in the URL.
-- Brane
Re: Caching just the username for authn
Posted by Branko Čibej <br...@xbc.nu>.
On 12.11.2011 22:44, Konstantin Kolinko wrote:
> 2011/11/13 Daniel Shahaf <d....@daniel.shahaf.name>:
>> Konstantin Kolinko wrote on Sat, Nov 12, 2011 at 23:34:49 +0400:
>>> 2011/11/12 Daniel Shahaf <d....@daniel.shahaf.name>:
>>>> While we're on this topic: is there an HTTP URL syntax that sets the
>>>> "Host:" header of the HTTP request?
>>>>
>>>> curl -H "Host: foo" http://bar/percent_s
>>>>
>>>> (Well, what I really want is a way to tell $BROWSER to make such
>>>> requests, so I don't have to use curl | less each time I want to do
>>>> them.)
>>> Note, that "http://bar/percent_s" is not set through HTTP (unless you
>>> are talking through proxy, but that is a different use case).
>>>
>>> It just connects to "bar" and sends
>>> GET /percent_s HTTP/1.1
>>>
>>> Well, HTTP/1.1 added the Host header.
>>>
>>> If you need http://foo/ to be sent to server bar, configure your DNS
>>> (e.g. by editing /etc/hosts) so that "foo" resolves to bar's IP
>>> address.
>> No. I need the behaviour of that curl command, namely:
>>
>> [[[
>> % telnet bar 80
>> GET /percent_s HTTP/1.1
>> Host: foo
>>
>> ]]]
> You have to explain your reasons and find a different approach. You
> are trying to cheat.
Huh? How is that cheating? It's perfectly legitimate. Apache HTTPD, for
example, uses the Host: header to select the virtual host, and you can
have any number of those on a server.
-- Brane
Re: Caching just the username for authn
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
On Sunday, November 13, 2011 9:16 AM, "Konstantin Kolinko" <kn...@gmail.com> wrote:
> 2011/11/13 Daniel Shahaf <d....@daniel.shahaf.name>:
> > Konstantin Kolinko wrote on Sun, Nov 13, 2011 at 01:44:21 +0400:
> >> 2011/11/13 Daniel Shahaf <d....@daniel.shahaf.name>:
> >> > Konstantin Kolinko wrote on Sat, Nov 12, 2011 at 23:34:49 +0400:
> >> >> If you need http://foo/ to be sent to server bar, configure your DNS
> >> >> (e.g. by editing /etc/hosts) so that "foo" resolves to bar's IP
> >> >> address.
> >> >
> >> > No. I need the behaviour of that curl command, namely:
> >>
> >> You have to [...] and find a different approach.
> >
> > Actually, no. I know how this works and I need the behaviour I stated,
> > so I'd appreciate it if you stopped trying to convince me otherwise.
>
> The following plugin exists for Firefox:
> https://addons.mozilla.org/en-US/firefox/addon/modify-headers/
> Its documentation on author's site:
> http://www.garethhunt.com/modifyheaders/help/
Thanks for the pointer!
Following Brane's comment I had made a mental note to look for such a
plugin when I next would invoke the curl magic, but it appears you just
saved me the trip. :-)
Re: Caching just the username for authn
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/11/13 Daniel Shahaf <d....@daniel.shahaf.name>:
> Konstantin Kolinko wrote on Sun, Nov 13, 2011 at 01:44:21 +0400:
>> 2011/11/13 Daniel Shahaf <d....@daniel.shahaf.name>:
>> > Konstantin Kolinko wrote on Sat, Nov 12, 2011 at 23:34:49 +0400:
>> >> If you need http://foo/ to be sent to server bar, configure your DNS
>> >> (e.g. by editing /etc/hosts) so that "foo" resolves to bar's IP
>> >> address.
>> >
>> > No. I need the behaviour of that curl command, namely:
>>
>> You have to [...] and find a different approach.
>
> Actually, no. I know how this works and I need the behaviour I stated,
> so I'd appreciate it if you stopped trying to convince me otherwise.
The following plugin exists for Firefox:
https://addons.mozilla.org/en-US/firefox/addon/modify-headers/
Its documentation on author's site:
http://www.garethhunt.com/modifyheaders/help/
Best regards,
Konstantin Kolinko
Re: Caching just the username for authn
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Konstantin Kolinko wrote on Sun, Nov 13, 2011 at 01:44:21 +0400:
> 2011/11/13 Daniel Shahaf <d....@daniel.shahaf.name>:
> > Konstantin Kolinko wrote on Sat, Nov 12, 2011 at 23:34:49 +0400:
> >> If you need http://foo/ to be sent to server bar, configure your DNS
> >> (e.g. by editing /etc/hosts) so that "foo" resolves to bar's IP
> >> address.
> >
> > No. I need the behaviour of that curl command, namely:
>
> You have to [...] and find a different approach.
Actually, no. I know how this works and I need the behaviour I stated,
so I'd appreciate it if you stopped trying to convince me otherwise.
Re: Caching just the username for authn
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/11/13 Daniel Shahaf <d....@daniel.shahaf.name>:
> Konstantin Kolinko wrote on Sat, Nov 12, 2011 at 23:34:49 +0400:
>> 2011/11/12 Daniel Shahaf <d....@daniel.shahaf.name>:
>> >
>> > While we're on this topic: is there an HTTP URL syntax that sets the
>> > "Host:" header of the HTTP request?
>> >
>> > curl -H "Host: foo" http://bar/percent_s
>> >
>> > (Well, what I really want is a way to tell $BROWSER to make such
>> > requests, so I don't have to use curl | less each time I want to do
>> > them.)
>>
>> Note, that "http://bar/percent_s" is not set through HTTP (unless you
>> are talking through proxy, but that is a different use case).
>>
>> It just connects to "bar" and sends
>> GET /percent_s HTTP/1.1
>>
>> Well, HTTP/1.1 added the Host header.
>>
>> If you need http://foo/ to be sent to server bar, configure your DNS
>> (e.g. by editing /etc/hosts) so that "foo" resolves to bar's IP
>> address.
>
> No. I need the behaviour of that curl command, namely:
>
> [[[
> % telnet bar 80
> GET /percent_s HTTP/1.1
> Host: foo
>
> ]]]
You have to explain your reasons and find a different approach. You
are trying to cheat.
Best regards,
Konstantin Kolinko
Re: Caching just the username for authn
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Konstantin Kolinko wrote on Sat, Nov 12, 2011 at 23:34:49 +0400:
> 2011/11/12 Daniel Shahaf <d....@daniel.shahaf.name>:
> >
> > While we're on this topic: is there an HTTP URL syntax that sets the
> > "Host:" header of the HTTP request?
> >
> > curl -H "Host: foo" http://bar/percent_s
> >
> > (Well, what I really want is a way to tell $BROWSER to make such
> > requests, so I don't have to use curl | less each time I want to do
> > them.)
>
> Note, that "http://bar/percent_s" is not set through HTTP (unless you
> are talking through proxy, but that is a different use case).
>
> It just connects to "bar" and sends
> GET /percent_s HTTP/1.1
>
> Well, HTTP/1.1 added the Host header.
>
> If you need http://foo/ to be sent to server bar, configure your DNS
> (e.g. by editing /etc/hosts) so that "foo" resolves to bar's IP
> address.
No. I need the behaviour of that curl command, namely:
[[[
% telnet bar 80
GET /percent_s HTTP/1.1
Host: foo
]]]
Thanks,
Re: Caching just the username for authn
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/11/12 Daniel Shahaf <d....@daniel.shahaf.name>:
>
> While we're on this topic: is there an HTTP URL syntax that sets the
> "Host:" header of the HTTP request?
>
> curl -H "Host: foo" http://bar/percent_s
>
> (Well, what I really want is a way to tell $BROWSER to make such
> requests, so I don't have to use curl | less each time I want to do
> them.)
Note, that "http://bar/percent_s" is not set through HTTP (unless you
are talking through proxy, but that is a different use case).
It just connects to "bar" and sends
GET /percent_s HTTP/1.1
Well, HTTP/1.1 added the Host header.
If you need http://foo/ to be sent to server bar, configure your DNS
(e.g. by editing /etc/hosts) so that "foo" resolves to bar's IP
address.
Regarding user:passwd@host syntax it us up to browser how to interpret the URL.
If browser cannot interpret username and password in the URL it is
just browser's thing.
I remember hearing 3 or more years ago that the commonly used web
browsers at that time were just silently swallowing the username and
password part before host name, and somebody used that for spoofing
http addresses.
Quick googling - it is year 2002 Mozilla bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=122445
See URL field and comment #2 in that bug report for an example.
Best regards,
Konstantin Kolinko
Re: Caching just the username for authn
Posted by Branko Čibej <br...@xbc.nu>.
On 12.11.2011 08:12, Daniel Shahaf wrote:
> On Friday, November 11, 2011 9:31 PM, "Branko Čibej" <br...@xbc.nu> wrote:
>> On 11.11.2011 13:27, C. Michael Pilato wrote:
>>> On 11/10/2011 04:48 PM, Hyrum K Wright wrote:
>>>> The user I was talking to actually tried the above user@server syntax, but
>>>> with https (which didn't work as he expected).
>>> I tried this recently, too, and was rather surprised to find that it didn't
>>> do what I expected.
>> That's because the user:passwd@host syntax is not valid for HTTP URLs.
> While we're on this topic: is there an HTTP URL syntax that sets the
> "Host:" header of the HTTP request?
>
> curl -H "Host: foo" http://bar/percent_s
>
> (Well, what I really want is a way to tell $BROWSER to make such
> requests, so I don't have to use curl | less each time I want to do
> them.)
Nope. When I want to do magic stuff with request headers, I either use
curl, or an appropriate browser plugin.
-- Brane
Re: Caching just the username for authn
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
On Friday, November 11, 2011 9:31 PM, "Branko Čibej" <br...@xbc.nu> wrote:
> On 11.11.2011 13:27, C. Michael Pilato wrote:
> > On 11/10/2011 04:48 PM, Hyrum K Wright wrote:
> >> The user I was talking to actually tried the above user@server syntax, but
> >> with https (which didn't work as he expected).
> > I tried this recently, too, and was rather surprised to find that it didn't
> > do what I expected.
>
> That's because the user:passwd@host syntax is not valid for HTTP URLs.
While we're on this topic: is there an HTTP URL syntax that sets the
"Host:" header of the HTTP request?
curl -H "Host: foo" http://bar/percent_s
(Well, what I really want is a way to tell $BROWSER to make such
requests, so I don't have to use curl | less each time I want to do
them.)
Thanks,
Daniel
Re: Caching just the username for authn
Posted by Branko Čibej <br...@xbc.nu>.
On 11.11.2011 13:27, C. Michael Pilato wrote:
> On 11/10/2011 04:48 PM, Hyrum K Wright wrote:
>> The user I was talking to actually tried the above user@server syntax, but
>> with https (which didn't work as he expected).
> I tried this recently, too, and was rather surprised to find that it didn't
> do what I expected.
That's because the user:passwd@host syntax is not valid for HTTP URLs.
-- Brane
Re: Caching just the username for authn
Posted by "C. Michael Pilato" <cm...@collab.net>.
On 11/10/2011 04:48 PM, Hyrum K Wright wrote:
> The user I was talking to actually tried the above user@server syntax, but
> with https (which didn't work as he expected).
I tried this recently, too, and was rather surprised to find that it didn't
do what I expected. Of course, if you're going to embed the username in the
command line, you can just as easily do so with "--username USERNAME".
--
C. Michael Pilato <cm...@collab.net>
CollabNet <> www.collab.net <> Distributed Development On Demand
Re: Caching just the username for authn
Posted by Hyrum K Wright <hy...@wandisco.com>.
On Thu, Nov 10, 2011 at 3:13 PM, Peter Samuelson <pe...@p12n.org> wrote:
>
> [Hyrum K Wright]
> > "The username on my local box is different than my username on the
> server,
> > and I don't want to cache passwords. How can I cache just the username?"
>
> Aside from the real answer Stefan gave, with svn+ssh you can specify
> user@server in the URI, and that is retained. Alternatively, configure
> per-server usernames in OpenSSH client configuration (~/.ssh/config).
The user I was talking to actually tried the above user@server syntax, but
with https (which didn't work as he expected).
-Hyrum
--
uberSVN: Apache Subversion Made Easy
http://www.uberSVN.com/
Re: Caching just the username for authn
Posted by Peter Samuelson <pe...@p12n.org>.
[Hyrum K Wright]
> "The username on my local box is different than my username on the server,
> and I don't want to cache passwords. How can I cache just the username?"
Aside from the real answer Stefan gave, with svn+ssh you can specify
user@server in the URI, and that is retained. Alternatively, configure
per-server usernames in OpenSSH client configuration (~/.ssh/config).
Re: Caching just the username for authn
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/11/10 Hyrum K Wright <hy...@wandisco.com>:
> Somebody approached me a few minutes ago at ApacheCon and posed the
> following question:
> "The username on my local box is different than my username on the server,
> and I don't want to cache passwords. How can I cache just the username?"
> It turns out I didn't have a good answer for him, aside from the ability to
> put '--username $FOO' on the command line. Sander looked into the config
> file and it turns out we don't have a configuration option which users can
> set, either in a global context, or on a per-server scenario.
> Before I run and file a bug on this, I'd like to make sure I'm not missing
> something terribly obvious. Am I?
There might be some caching somewhere.
On my PC there is the following folder:
%APPDATA%\Subversion\auth\svn.username\
It contains a file with some numeric name and containing
[[[
K 15
svn:realmstring
V 36
<some UUID here>
K 8
username
V 10
<name here>
END
]]]
It is not my usual user name, but one I used in some scripts with
--no-auth-cache --non-interactive.
Modification date of that file is ~year ago, so it is likely that it
was last updated by a SVN 1.6 client.
None of my usual user names is mentioned in that folder.
Best regards,
Konstantin Kolinko
Re: Caching just the username for authn
Posted by Stefan Sperling <st...@elego.de>.
On Wed, Nov 09, 2011 at 06:50:35PM -0600, Hyrum K Wright wrote:
> Somebody approached me a few minutes ago at ApacheCon and posed the
> following question:
> "The username on my local box is different than my username on the server,
> and I don't want to cache passwords. How can I cache just the username?"
> It turns out I didn't have a good answer for him, aside from the ability
> to put '--username $FOO' on the command line. Sander looked into the
> config file and it turns out we don't have a configuration option which
> users can set, either in a global context, or on a per-server scenario.
>
> Before I run and file a bug on this, I'd like to make sure I'm not missing
> something terribly obvious. Am I?
Putting 'store-passwords = no' in the [global] section of
hte 'server' config should have the desired effect.
While passwords won't be cached, the username will still be chached.
The no-auth-cache option is the one that disables the entire
~/.subversion/auth area -- this option also affects caching of usernames,
SSL certs, etc.