Cyberduck Mountain Duck CLI

#7257 closed defect (thirdparty)

Seems to be using Basic Authentication scheme only

Reported by: tpreissler Owned by: dkocher
Priority: normal Milestone: 4.4
Component: webdav Version: 4.3.1
Severity: major Keywords: authentication schema digest basic
Cc: Architecture: Intel
Platform: Windows 7

Description

Hello,

we recently came across a wierd problem using the latest version 4.3.1 on Windows. Server is setup like the following:

AuthName XXXXX
AuthType Digest
AuthDigestFile $DIR/access/XXXXX.password

When connecting with Cyberduck, the connection always fails with:

172.28.1.114 - - [16/May/2013:16:20:07 +0000] "HEAD /$DIR2/ HTTP/1.1" 401 0 "-" "Cyberduck/4.3.1 (11008) (Windows 7/6.1) (x86)" "-"

Though the password file looks similar to

XXXXX:XXXXX:012345678abcdef...

And the Apache error.log states

Thu May 16 16:42:35 2013] [error] client used wrong authentication scheme: Basic for /$DIR2/
[Thu May 16 16:42:35 2013] [error] [client 172.28.1.114] user XXXXX: password mismatch: /$DIR2/

I can see on various places that Cyberduck should be supporting Digest authentication, I even found a commit 4 years ago stating that exactly. But still, it seems Cyberduck is insisting on Basic Auth only. I can successfully connect with IE - though I cannot upload files obviously, but the authentication works just fine with the same password as provided to Cyberduck.

Regards

Thomas

Change History (9)

comment:1 follow-up: Changed on May 17, 2013 at 10:01:03 AM by dkocher

Please post the transcript from the log drawer (Ctrl-L).

comment:2 Changed on May 17, 2013 at 10:01:15 AM by dkocher

  • Component changed from core to webdav
  • Milestone set to 4.3.2
  • Owner set to dkocher
  • Status changed from new to assigned

comment:3 in reply to: ↑ 1 Changed on May 17, 2013 at 10:20:33 AM by tpreissler

HEAD /cyberduck/ HTTP/1.1
Host: $HOST
Connection: Keep-Alive
User-Agent: Cyberduck/4.3.1 (11008) (Windows 7/6.1) (x86)
Authorization: Basic Y3liZXJkdWNrOktZYlBJY1BVSTZ4Vlk=
HTTP/1.1 401 Authorization Required
Date: Fri, 17 May 2013 10:19:09 GMT
Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e mod_perl/1.29 DAV/1.0.3
WWW-Authenticate: Digest realm="cyberduck", nonce="bdf1958b9fa1cff9adf3a5db37787fd91368785949"
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
HEAD /cyberduck/ HTTP/1.1
Host: $HOST
Connection: Keep-Alive
User-Agent: Cyberduck/4.3.1 (11008) (Windows 7/6.1) (x86)
Authorization: Digest username="cyberduck", realm="cyberduck", nonce="bdf1958b9fa1cff9adf3a5db37787fd91368785949", uri="/cyberduck/", response="22ed3155d349f69e1a590596179dbf90", algorithm="MD5"
HTTP/1.1 401 Authorization Required
Date: Fri, 17 May 2013 10:19:09 GMT
Server: Apache/1.3.33 (Debian GNU/Linux) mod_ssl/2.8.22 OpenSSL/0.9.7e mod_perl/1.29 DAV/1.0.3
WWW-Authenticate: Digest realm="cyberduck", nonce="bdf1958b9fa1cff9adf3a5db37787fd91368785949"
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

comment:4 Changed on May 17, 2013 at 4:33:07 PM by dkocher

  • Resolution set to thirdparty
  • Status changed from assigned to closed

Looks fine to me. The first request uses Preemptive Basic Authentication but fails because your server requires Digest access authentication. A second request is issued with a response to the digest challenge. But it looks like the credentials are not accepted as a 401 status code is received.

comment:5 follow-up: Changed on May 20, 2013 at 8:35:23 AM by tpreissler

Many thanks for that.

Unfortunately I just don't get it. I just reset the password to something really simply and still cannot get in with Cyberduck.

When I try it with IE and/or Firefox it is all working alright, no problem. No "client used wrong authentication scheme:" turn up for these clients in the error.log.

Is there somewhere where I have to provide the "realm"?

comment:6 in reply to: ↑ 5 ; follow-up: Changed on May 20, 2013 at 9:12:34 AM by dkocher

Replying to tpreissler:

When I try it with IE and/or Firefox it is all working alright, no problem. No "client used wrong authentication scheme:" turn up for these clients in the error.log.

This is because of the preemptive basic authentication attempt. This should however not affect in any way the second authentication attempt using digest authentication.

comment:7 in reply to: ↑ 6 ; follow-up: Changed on May 20, 2013 at 1:06:14 PM by tpreissler

I am sorry to be a pain.

This still doesn't explain when the server is configured to use Digest only, Cyberduck's auth request is declined from the server with a 401, whereas IE/Firefox (also using Digest and the same username/password) can get in alright.

Is it possible that the password is encoded differently?

comment:8 Changed on May 20, 2013 at 8:49:20 PM by dkocher

  • Summary changed from Cyberduck 4.3.1 (Windows) seems to be using Basic Authentication scheme only to Seems to be using Basic Authentication scheme only

comment:9 in reply to: ↑ 7 Changed on May 20, 2013 at 8:52:16 PM by dkocher

Replying to tpreissler:

I am sorry to be a pain.

This still doesn't explain when the server is configured to use Digest only, Cyberduck's auth request is declined from the server with a 401, whereas IE/Firefox (also using Digest and the same username/password) can get in alright.

Is it possible that the password is encoded differently?

That is correct. I have no explanation why the authentication is refused. The authorization response could be badly written by Cyberduck due to a bug, but I doubt because I cannot replicate any issues with other HTTP servers requiring digest authentication.

Therefore I presume your authentication credentials supplied are different or you are trying to access a different resource on the web server.

Note: See TracTickets for help on using tickets.