Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No Option to Specify HTTP Digest Authentication #7348

Closed
cyberduck opened this issue Jul 16, 2013 · 7 comments
Closed

No Option to Specify HTTP Digest Authentication #7348

cyberduck opened this issue Jul 16, 2013 · 7 comments
Assignees
Labels
bug fixed webdav WebDAV Protocol Implementation
Milestone

Comments

@cyberduck
Copy link
Collaborator

34b3728 created the issue

CyberDuck always tries a HTTP/Authenticate with Basic with WebDAV first, even if the connection is not protected with SSL or TLS.

WebDAV RFC 4918 (sect 20.1) states "Basic authentication MUST NOT be used to authenticate a WebDAV client to a server unless the connection is secure."


Attachments

@cyberduck
Copy link
Collaborator Author

@dkocher commented

You can disable preemptive authentication as of eed65d7 with defaults write ch.sudo.cyberduck webdav.basic.preemptive false. Display unsecure connection alert if property is enabled and connection is not TLS.

@cyberduck
Copy link
Collaborator Author

34b3728 commented

Pre-emptively sending credentials amounts to a security disclosure. You are sending credentials that can easily be converted to plain text.

Also, I still can't get it to work with 9febb7e, even with webdav.basic.preemptive set to false.

See attached in 9febb7e it warns me the connect is unsecured, even though I'm using SSL Cyberduck 7348 a.png

and it still tries to use basic authentication, even when I have pre-emptive basic authentication disabledCyberduck 7348 b.png

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Added tests and unsecure warning fixed in 929c61b. Can you please post the transcript from the log drawer (⌘-L) running this revision.

@cyberduck
Copy link
Collaborator Author

34b3728 commented

Same error.

It looks like it is ignoring my ch.sudo.cyberduck webdav.basic.preemptive setting.

Here is the log:

HEAD /namespace/tprime/ HTTP/1.1
Host: prod.lattusdemo.com
Connection: Keep-Alive
User-Agent: Cyberduck/4.4 (Mac OS X/10.7.5) (x86_64)
Authorization: Basic dHByaW1lOjIyNjRJUQ==
HTTP/1.1 400 invalid digest keyword
DAV: 1,3
Date: Thu, 22 Aug 2013 16:48:58 GMT
Server: Quantum-Lattus/3.1.3-280be6a0cc162ad50c8abf484bfbcddd737fa6fc

@cyberduck
Copy link
Collaborator Author

34b3728 commented

Another sceenshot if it helps:

CyberDuck 7348 c.png

@cyberduck
Copy link
Collaborator Author

@dkocher commented

I suppose the problem is that you have installed Cyberduck from the Mac App Store as well and there are user defaults for the sandboxed version of Cyberduck in ~/Library/Containers/ch.sudo.cyberduck/Data/Library/Preferences/ch.sudo.cyberduck. If this exists, the defaults command writes changes to this configuration only.

As a workaround you can remove the application data in ~/Library/Containers/ch.sudo.cyberduck. I have not found how to force defaults to write changes to application preferences in ~/Library/Preferences.

@cyberduck
Copy link
Collaborator Author

@dkocher commented

Added fallback handling for 400 error response after preemptive authentication in b2e0792.

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug fixed webdav WebDAV Protocol Implementation
Projects
None yet
Development

No branches or pull requests

2 participants