[Bug 227511] New: opensuseupdater doesn't authenticate to http proxy
https://bugzilla.novell.com/show_bug.cgi?id=227511 Summary: opensuseupdater doesn't authenticate to http proxy Product: openSUSE 10.2 Version: Final Platform: x86 OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: libzypp AssignedTo: kkaempf@novell.com ReportedBy: mludvig@logix.net.nz QAContact: kkaempf@novell.com My company web proxy (Squid) requires authentication - I have configured it in yast2 Proxy module and all relevant Yast modules seem to accept it. However opensuseupdater does not - with tcpdump I can see it tries to access the proxy, the proxy responds with "407 Proxy Authentication Required" upon which updater sends "Proxy-Authorization: Basic Og==" (where Og== is colon ":" in base64). It looks like the opensuseupdater knows it should use username and password for the proxy but fails to know these credentials. It basically prevents me from using opensuseupdater and would eventually have to go back to the zmd/mono beast. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=227511 dmacvicar@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |mc@novell.com ------- Comment #1 from dmacvicar@novell.com 2006-12-11 09:37 MST ------- opensuse-updater just calls zypp-checkpatches, which links against libzypp whioch reads proxy information from /etc/proxy/sysconfig It seems libzypp does not read the proxy authentication from there, but from HOME/.curlrc but according to YaST module, you can specify the proxy auth information there: "f you are using a proxy server with authorization, enter Proxy User Name and Proxy Password. A valid username consists of printable ASCII characters (except for quotation marks) only." -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=227511 mt@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|mc@novell.com | ------- Comment #2 from mt@novell.com 2006-12-11 09:50 MST ------- /sbin/yast2 proxy writes the proxy host+port values (url's) to /etc/sysconfig/proxy and the username and password to the /root/.curlrc, e.g.: proxy-user = "foo:bar" libzypp reads both files, except somebody specified an proxy, proxyuser, proxypass as url arguments, e.g.: http://server/path?proxy=myproxy&proxyuser=foo&proxypass=bar Note, that the /root/.curlrc has to be owned by root or zypp will ignore it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=227511 ------- Comment #3 from mludvig@logix.net.nz 2006-12-11 16:12 MST ------- That's the problem - the password IS set in ~root/.curlrc but opensuse-updater (is that how the KDE icon / applet is called, isn't it?) runs with privileges of my normal user. Unfortunately in ~mludvig/.curlrc the password is not set. Now I anticipate arguments about security considerations ;-) Well, how about having a checkbox in the Yast proxy module saying something like "Disclose this username and password to users" (maybe "... in group wheel" or something). And then put it in /etc/curlrc? Or at least make opensuse-updater complain loudly when the proxy asks for authorization but that can't be found in .curlrc and/or $http_proxy. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=227511 mludvig@logix.net.nz changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |227513 nThis| | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=227511 mludvig@logix.net.nz changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO|227513 | nThis| | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=227511 ------- Comment #4 from mludvig@logix.net.nz 2006-12-11 22:23 MST ------- BTW It still doesn't work even after I put the credentials to ~/.curlrc and restarted opensuseupdater mludvig@zofka:~> cat .curlrc proxy-user = "webuser:webpass" mludvig@zofka:~> ls -l .curlrc -rw------- 1 mludvig users 31 2006-12-12 14:33 .curlrc -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=227511 dmacvicar@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |mludvig@logix.net.nz ------- Comment #5 from dmacvicar@novell.com 2006-12-12 03:35 MST ------- Comment #3 is incorrect. Please forget about the applet. The applet is dumb. The real guilty here is a binary the applet launches. This binary is run by the user, but the bnary has the suid bit on (+s). I think the bug could be that, HOME is defined in this case as the user's home, but zypp still looks if the curl file is owned by root. I mean, this implies zypp is not taking the case where a user runs a suid program linked to it. Michal, can you please chown /home/mludvig/.curlrc to root but give permissions to others to read? I want: mludvig@zofka:~> ls -l .curlrc -rw-r--r-- 1 root users 31 2006-12-12 14:33 .curlrc and see if it works. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=227511 ------- Comment #6 from mvidner@novell.com 2006-12-12 03:39 MST ------- HOME is not defined. The suid wrapper clears the environment. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=227511 ------- Comment #7 from dmacvicar@novell.com 2006-12-12 03:54 MST ------- That is the reason then. zypp is not finding curlrc at all. And even if HOME is not cleaned, the user's curlc is not owned by root as zypp checks first. Which is the guilty component here? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=227511 mludvig@logix.net.nz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|mludvig@logix.net.nz | ------- Comment #8 from mludvig@logix.net.nz 2006-12-12 15:03 MST ------- W.r.t. comment #5 - chmod/chown as per your request didn't help. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=227511 dmacvicar@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|opensuseupdater doesn't |[zypper][libzypp] doesn't authenticate to http |authenticate to http proxy |proxy -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=227511 ------- Comment #9 from amp68@verizon.net 2007-05-01 07:55 MST ------- I am having this exact same error with the zmd. Could it be the same problem? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=227511 iladijas+suse@gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |iladijas+suse@gmail.com ------- Comment #10 from iladijas+suse@gmail.com 2007-05-16 13:21 MST ------- -- [~]$ wbinfo -u DOMAIN\sjd [~]# kinit -V sjd Password for sjd@xyzproxy.full.domain-name.com: ********** Authenticated to Kerberos v5 -- [~]$ wbinfo -i DOMAIN\\sjd DOMAIN\sjd:*:10000:10002:Sajid Ali:/home/DOMAIN/sjd:/bin/bash [~]$ wbinfo --separator \ [~]$ wbinfo --krb5auth=DOMAIN\\sjd%0password\) plaintext kerberos password authentication for [DOMAIN\sjd%0password)] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_10000 plaintext kerberos password authentication for [DOMAIN\sjd%0password\)] succeeded (requesting cctype: KCM) no credentials cached plaintext kerberos password authentication for [DOMAIN\sjd%0password)] succeeded (requesting cctype: KCM:0) no credentials cached plaintext kerberos password authentication for [DOMAIN\sjd%0password)] succeeded (requesting cctype: Garbage) no credentials cached plaintext kerberos password authentication for [DOMAIN\sjd%0password)] succeeded (requesting cctype: (null)) no credentials cached plaintext kerberos password authentication for [DOMAIN\sjd%0password)] succeeded (requesting cctype: 0) no credentials cached -- [~]# ls -l /root/.curlrc -rw-r--r-- 1 root root 82 May 16 22:05 /root/.curlrc [~]# ls -l /home/DOMAIN/sjd/.curlrc ls: cannot access /home/DOMAIN/sjd/.curlrc: No such file or directory [~]# cp -vp /root/.curlrc /home/DOMAIN/sjd/ `/root/.curlrc' -> `/home/DOMAIN/sjd/.curlrc' [~]# ls -l /home/DOMAIN/sjd/.curlrc -rw-r--r-- 1 root root 82 May 16 22:05 /home/DOMAIN/sjd/.curlrc <- -rw-r--r-- (readable by group|other) -- [~]# cat /root/.curlrc # Changed by YaST2 module proxy 05/16/2007 <- changed by YaST2, of course, as noted by YaST2 proxy-user = "DOMAIN\\sjd:0password\)" -- [~]# cat /etc/sysconfig/proxy PROXY_ENABLED="yes" HTTP_PROXY="DOMAIN\\sjd:0password\)@xyzproxy.full.domain-name.com:8080" HTTPS_PROXY="DOMAIN\\sjd:0password\)@xyzproxy.full.domain-name.com:8080" FTP_PROXY="DOMAIN\\sjd:0password\)@xyzproxy.full.domain-name.com:8080" GOPHER_PROXY="" NO_PROXY="localhost, 127.0.0.1" __note__: username: domain\sjd password: 0password) <- yes, zero & right parenthesis are part of the password -- [~]# cat /home/INT/sjd/.profile http_proxy=DOMAIN\\sjd:0password\)@xyzproxy.full.domain-name.com:8080 ftp_proxy=DOMAIN\\sjd:0password\)@xyzproxy.full.domain-name.com:8080 https_proxy=DOMAIN\\sjd:0password\)@xyzproxy.full.domain-name.com:8080 -- [~]# env | grep proxy http_proxy=http://xyzproxy.full.domain-name.com:8080 ftp_proxy=http://xyzproxy.full.domain-name.com:8080 https_proxy=http://xyzproxy.full.domain-name.com:8080 no_proxy=localhost, 127.0.0.1 -- Installation repos [~]# zypper sl # | Enabled | Refresh | Type | Name | URI --+---------+---------+------+-----------------------------------------+------------------------------------------------------------------ 1 | Yes | Yes | YaST | 20070210-123801 | ftp://mirrors.kernel.org/opensuse/distribution/10.2/repo/non-oss/ 2 | Yes | Yes | YUM | http://packman.unixheads.com/suse/10.2/ | http://packman.unixheads.com/suse/10.2/ 3 | Yes | Yes | YaST | 20070210-123301 | ftp://mirrors.kernel.org/opensuse/distribution/10.2/repo/oss -- zypper list update fails [~]# zypper lu Restoring system sources... Not found: Media Exception Not found: Media Exception Please insert media [Curl error for: ftp://mirrors.kernel.org/opensuse/distribution/10.2/repo/non-oss/media.1/directory.yast: Error code: HTTP response: 407 Error message: The requested URL returned error: 407 ] # 1. Retry [y/n]: n Please insert media [Curl error for: http://packman.unixheads.com/suse/10.2/repodata/repomd.xml: Error code: HTTP response: 407 Error message: The requested URL returned error: 407 ] # 1. Retry [y/n]: n I/O error: Can't provide /repodata/repomd.xml from http://packman.unixheads.com/suse/10.2/ (A)bort, (R)etry, (I)gnore? a I/O error: Can't provide /repodata/repomd.xml from http://packman.unixheads.com/suse/10.2/ Not found: Media Exception Not found: Media Exception Please insert media [Curl error for: ftp://mirrors.kernel.org/opensuse/distribution/10.2/repo/oss/media.1/directory.yast: Error code: HTTP response: 407 Error message: The requested URL returned error: 407 ] # 1. Retry [y/n]: n Failed to restore sources -- YaST Online update fails [~]# you URL: ftp://mirrors.kernel.org/opensuse/distribution/10.2/repo/non-oss/ Curl error for: ftp://mirrors.kernel.org/opensuse/distribution/10.2/repo/non-oss/media.1/directory.yast: Error code: HTTP response: 407 Error message: The requested URL returned error: 407 URL: http://packman.unixheads.com/suse/10.2/ Curl error for: http://packman.unixheads.com/suse/10.2/repodata/repomd.xml: Error code: HTTP response: 407 Error message: The requested URL returned error: 407 http://packman.unixheads.com/suse/10.2/ Can't provide /repodata/repomd.xml from http://packman.unixheads.com/suse/10.2/ URL: ftp://mirrors.kernel.org/opensuse/distribution/10.2/repo/oss Curl error for: ftp://mirrors.kernel.org/opensuse/distribution/10.2/repo/oss/media.1/directory.yast: Error code: HTTP response: 407 Error message: The requested URL returned error: 407 Please help. -- Sajid Ali "Information is not knowledge." -Albert Einstein -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=227511#c11
Duncan Mac-Vicar
https://bugzilla.novell.com/show_bug.cgi?id=227511#c12
Andrew Pastuszak
https://bugzilla.novell.com/show_bug.cgi?id=227511#c13
Ján Kupec
Jano, this was fixed in 10.3 yes? Can be closed?
The only thing that has been changed in 10.3 in this regard is the incorrect parsing of .curlrc (so comment #10 should be fixed). The undefined HOME (due to the suid - comment #6) was probably not dealt with. What can we do about it? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=227511
Duncan Mac-Vicar
https://bugzilla.novell.com/show_bug.cgi?id=227511#c14
Senthil Nachimuthu
https://bugzilla.novell.com/show_bug.cgi?id=227511#c15
--- Comment #15 from Andrew Pastuszak
https://bugzilla.novell.com/show_bug.cgi?id=227511#c16
Ján Kupec
https://bugzilla.novell.com/show_bug.cgi?id=227511#c17
--- Comment #17 from Ján Kupec
https://bugzilla.novell.com/show_bug.cgi?id=227511#c18
--- Comment #18 from Senthil Nachimuthu
BTW, confirmed, any of the following is correct, -- and = are optional:
long-opt value --long-opt value long-opt = value --long-opt = value
the correct way would be to fix it in libzypp, but let's use the '=' for now.
Can you tell me where you found documentation for the .curlrc file syntax please? I searched the man pages for curl but I couldn't find the proper syntax. I thought curl would just read this file and append it to the command line switches. In that case, are the = sign and the double quotes required? I think if the the value contains a whitespace, then it should be enclosed in single quotes? Can it be either single quotes or double quotes? Sorry for asking so many questions, I haven't used curl much, and the man pages do not provide these details. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=227511#c19
Ján Kupec
(In reply to comment #17 from Ján Kupec)
BTW, confirmed, any of the following is correct, -- and = are optional:
long-opt value --long-opt value long-opt = value --long-opt = value
Can you tell me where you found documentation for the .curlrc file syntax please? I searched the man pages for curl but I couldn't find the proper syntax.
Unfortunately i've hit the same problem, the correct syntax is poorly documented in the man page and i did not find anything more on the web either. All i did was to experiment with it.
I thought curl would just read this file and append it to the command line
Me too, but nope, it does not work like that, check for example the following: this one works: $ curl --max-filesize 2 http://asdf.comer this one doesn't (but within .curlrc it is OK) $ curl --max-filesize=2 http://asdf.comer curl: option --max-filesize=2: is unknown
switches. In that case, are the = sign and the double quotes required? I think As i said above, the = sign is not required but permitted in the .curlrc file, but _not allowed_ on the command line.
if the the value contains a whitespace, then it should be enclosed in single quotes? Can it be either single quotes or double quotes?
Yes, both are OK, AFAIK
Sorry for asking so many questions, I haven't used curl much, and the man pages do not provide these details.
true, we are left to experiments and source code reading :O( CCing our curl maintainer so that he can push the correction of the documentation upstream. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=227511#c20
--- Comment #20 from Andrew Pastuszak
https://bugzilla.novell.com/show_bug.cgi?id=227511#c21
Ján Kupec
I added the = to the .curlrc in openSUSE and could not get opensuse-updater working. Is there any way to get this working on 10.2?
IIRC libzypp doesn't expect initial double dashes in the options in 10.2 (eg. use 'proxyuser = ' instead of '--proxyuser = '). Also you can use the workaround where you pass the options in the URL. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=227511#c22
Ján Kupec
https://bugzilla.novell.com/show_bug.cgi?id=227511#c23
eric vialas
https://bugzilla.novell.com/show_bug.cgi?id=227511#c24
--- Comment #24 from Ján Kupec
The workaround does not work for me because our corporate proxy does not accept Basic authentification but only NTLM or Kerberos. Curl will not work untill i add "proxy-ntlm" or "proxy-anyauth" into /root/.curlrc but even with this modification, i can't get a working opensuse-updater.
Hi Eric! This is somehting different. So far, libzypp does not support authentication methods other than basic and digest. Although curl supports it, we need to make libzypp able to pass necessary authentication data for these types of authentication to curl. For this case i suggest you to file a new enhancement request bug for component 'libzypp' and assign it directly to me. Thanx! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=227511
User jsuchome@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=227511#c25
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=227511
Ján Kupec
https://bugzilla.novell.com/show_bug.cgi?id=227511
Ján Kupec
https://bugzilla.novell.com/show_bug.cgi?id=227511
User amp68@verizon.net added comment
https://bugzilla.novell.com/show_bug.cgi?id=227511#c26
--- Comment #26 from Andrew Pastuszak
https://bugzilla.novell.com/show_bug.cgi?id=227511
User jimomura@pathcom.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=227511#c27
Jim Omura
https://bugzilla.novell.com/show_bug.cgi?id=227511
User jkupec@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=227511#c28
Ján Kupec
The last updates for "zypper" and "libzypp" were July 4, bringing "zypper" up to "zypper-0.8.23-7.x86_64.rpm". I have been using it lately and the panel icon seems to be working.
Are you behind a proxy that requires authentication?
I am thinking about asking for a change, but that would be an enhancement in another "bug report". Is there any reason not to close this one?
Do you mean this "copy to new" button? Yes, you can do that (i hope it does not copy all the comments :O). In any case, it should be a NEW bug report. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=227511
User jimomura@pathcom.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=227511#c29
--- Comment #29 from Jim Omura
(In reply to comment #27 from Jim Omura)
The last updates for "zypper" and "libzypp" were July 4, bringing "zypper" up to "zypper-0.8.23-7.x86_64.rpm". I have been using it lately and the panel icon seems to be working.
Are you behind a proxy that requires authentication?
No, but back at the end of October you recommended that a new "report" be opened requesting an enhancement. So at that point I was wondering if it had been done. Since another report could have been opened and closed without affecting this one. So the only outstanding problem I could see when reading through all this was the last problem where the icon applet was "not working at all", and since mine seems to be working fine, that raised the question whether this bug should be closed.
I am thinking about asking for a change, but that would be an enhancement in another "bug report". Is there any reason not to close this one?
Do you mean this "copy to new" button? Yes, you can do that (i hope it does not copy all the comments :O). In any case, it should be a NEW bug report.
No, actually, I was thinking about asking for more options beyond checking "every day" and "every other day." I am currently using this on a laptop and it just wastes my online time because there is no way I am going to update while I am on a v.90 connection. Do you guys ever remember how slow this can be? :-) However, I think the better idea would be for me to uninstall the icon applet, if I can do that without affecting the regular "online update" in Yast2. So I might not bother asking for any changes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=227511
User aj@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=227511#c30
Andreas Jaeger
participants (1)
-
bugzilla_noreply@novell.com