docs: Update SPNEGO and GSS-API related doc sections
Reflect recent changes in SPNEGO and GSS-API code in the docs. Update them with appropriate namings and remove visible spots for GSS-Negotiate.
This commit is contained in:
parent
b91e97eabd
commit
37f0e8a32c
4
docs/FAQ
4
docs/FAQ
@ -136,11 +136,11 @@ FAQ
|
||||
POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP.
|
||||
|
||||
libcurl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading,
|
||||
kerberos, HTTP form based upload, proxies, cookies, user+password
|
||||
Kerberos, SPNEGO, HTTP form based upload, proxies, cookies, user+password
|
||||
authentication, file transfer resume, http proxy tunneling and more!
|
||||
|
||||
libcurl is highly portable, it builds and works identically on numerous
|
||||
platforms, including Solaris, NetBSD, FreeBSD, OpenBSD, Darwin, HPUX,
|
||||
platforms, including Solaris, NetBSD, FreeBSD, OpenBSD, Darwin, HP-UX,
|
||||
IRIX, AIX, Tru64, Linux, UnixWare, HURD, Windows, Amiga, OS/2, BeOS, Mac
|
||||
OS X, Ultrix, QNX, OpenVMS, RISC OS, Novell NetWare, DOS, Symbian, OSF,
|
||||
Android, Minix, IBM TPF and more...
|
||||
|
@ -45,8 +45,8 @@ HTTP
|
||||
- POST
|
||||
- Pipelining
|
||||
- multipart formpost (RFC1867-style)
|
||||
- authentication: Basic, Digest, NTLM (*9), Negotiate (*3) and to server and
|
||||
proxy
|
||||
- authentication: Basic, Digest, NTLM (*9) and Negotiate (SPNEGO) (*3)
|
||||
to server and proxy
|
||||
- resume (both GET and PUT)
|
||||
- follow redirects
|
||||
- maximum amount of redirects to follow
|
||||
@ -78,7 +78,7 @@ FTP
|
||||
- download
|
||||
- authentication
|
||||
- kerberos4 (*5)
|
||||
- kerberos5 (*3)
|
||||
- Kerberos 5 (*14)
|
||||
- active/passive using PORT, EPRT, PASV or EPSV
|
||||
- single file size information (compare to HTTP HEAD)
|
||||
- 'type=' URL support
|
||||
@ -180,7 +180,8 @@ FOOTNOTES
|
||||
*1 = requires OpenSSL, GnuTLS, NSS, yassl, axTLS, PolarSSL, WinSSL (native
|
||||
Windows), Secure Transport (native iOS/OS X) or qssl (native IBM i)
|
||||
*2 = requires OpenLDAP
|
||||
*3 = requires a GSSAPI-compliant library, such as Heimdal or similar
|
||||
*3 = requires a GSS-API implementation (such as Heimdal or MIT Kerberos) or
|
||||
SSPI (native Windows)
|
||||
*4 = requires nghttp2 and possibly a recent TLS library
|
||||
*5 = requires a krb4 library, such as the MIT one or similar
|
||||
*6 = requires c-ares
|
||||
@ -195,3 +196,4 @@ FOOTNOTES
|
||||
*12 = requires libz
|
||||
*13 = requires libmetalink, and either an Apple or Microsoft operating
|
||||
system, or OpenSSL, or GnuTLS, or NSS
|
||||
*14 = requires a GSS-API implementation (such as Heimdal or MIT Kerberos)
|
||||
|
@ -216,9 +216,9 @@ may have been fixed since this was written!
|
||||
acknowledged after the actual TCP connect (during the SOCKS "negotiate"
|
||||
phase).
|
||||
|
||||
10. To get HTTP Negotiate authentication to work fine, you need to provide a
|
||||
(fake) user name (this concerns both curl and the lib) because the code
|
||||
wrongly only considers authentication if there's a user name provided.
|
||||
10. To get HTTP Negotiate (SPNEGO) authentication to work fine, you need to
|
||||
provide a (fake) user name (this concerns both curl and the lib) because the
|
||||
code wrongly only considers authentication if there's a user name provided.
|
||||
http://curl.haxx.se/bug/view.cgi?id=440 How?
|
||||
http://curl.haxx.se/mail/lib-2004-08/0182.html
|
||||
|
||||
|
@ -108,10 +108,10 @@ USING PASSWORDS
|
||||
curl -u name:passwd http://machine.domain/full/path/to/file
|
||||
|
||||
HTTP offers many different methods of authentication and curl supports
|
||||
several: Basic, Digest, NTLM and Negotiate. Without telling which method to
|
||||
use, curl defaults to Basic. You can also ask curl to pick the most secure
|
||||
ones out of the ones that the server accepts for the given URL, by using
|
||||
--anyauth.
|
||||
several: Basic, Digest, NTLM and Negotiate (SPNEGO). Without telling which
|
||||
method to use, curl defaults to Basic. You can also ask curl to pick the
|
||||
most secure ones out of the ones that the server accepts for the given URL,
|
||||
by using --anyauth.
|
||||
|
||||
NOTE! According to the URL specification, HTTP URLs can not contain a user
|
||||
and password, so that style will not work when using curl via a proxy, even
|
||||
|
35
docs/curl.1
35
docs/curl.1
@ -20,7 +20,7 @@
|
||||
.\" *
|
||||
.\" **************************************************************************
|
||||
.\"
|
||||
.TH curl 1 "27 July 2012" "Curl 7.27.0" "Curl Manual"
|
||||
.TH curl 1 "2 Aug 2014" "Curl 7.38.0" "Curl Manual"
|
||||
.SH NAME
|
||||
curl \- transfer a URL
|
||||
.SH SYNOPSIS
|
||||
@ -827,9 +827,8 @@ If this option is used several times, the last one will be used.
|
||||
should be one of 'clear', 'safe', 'confidential', or 'private'. Should you use
|
||||
a level that is not one of these, 'private' will instead be used.
|
||||
|
||||
This option requires a library built with kerberos4 or GSSAPI
|
||||
(GSS-Negotiate) support. This is not very common. Use \fI-V, --version\fP to
|
||||
see if your curl supports it.
|
||||
This option requires a library built with kerberos4 support. This is not
|
||||
very common. Use \fI-V, --version\fP to see if your curl supports it.
|
||||
|
||||
If this option is used several times, the last one will be used.
|
||||
.IP "-l, --list-only"
|
||||
@ -1024,18 +1023,13 @@ Very similar to \fI--netrc\fP, but this option makes the .netrc usage
|
||||
\fBoptional\fP and not mandatory as the \fI--netrc\fP option does.
|
||||
|
||||
.IP "--negotiate"
|
||||
(HTTP) Enables GSS-Negotiate authentication. The GSS-Negotiate method was
|
||||
designed by Microsoft and is used in their web applications. It is primarily
|
||||
meant as a support for Kerberos5 authentication but may be also used along
|
||||
with another authentication method. For more information see IETF draft
|
||||
draft-brezak-spnego-http-04.txt.
|
||||
(HTTP) Enables Negotiate (SPNEGO) authentication.
|
||||
|
||||
If you want to enable Negotiate for your proxy authentication, then use
|
||||
If you want to enable Negotiate (SPNEGO) for proxy authentication, then use
|
||||
\fI--proxy-negotiate\fP.
|
||||
|
||||
This option requires a library built with GSSAPI support. This is
|
||||
not very common. Use \fI-V, --version\fP to see if your version supports
|
||||
GSS-Negotiate.
|
||||
This option requires a library built with GSS-API or SSPI support. Use \fI-V,
|
||||
--version\fP to see if your curl supports GSS-API/SSPI and SPNEGO.
|
||||
|
||||
When using this option, you must also provide a fake \fI-u, --user\fP option to
|
||||
activate the authentication code properly. Sending a '-u :' is enough as the
|
||||
@ -1254,8 +1248,8 @@ the default authentication method curl uses with proxies.
|
||||
Tells curl to use HTTP Digest authentication when communicating with the given
|
||||
proxy. Use \fI--digest\fP for enabling HTTP Digest with a remote host.
|
||||
.IP "--proxy-negotiate"
|
||||
Tells curl to use HTTP Negotiate authentication when communicating
|
||||
with the given proxy. Use \fI--negotiate\fP for enabling HTTP Negotiate
|
||||
Tells curl to use HTTP Negotiate (SPNEGO) authentication when communicating
|
||||
with the given proxy. Use \fI--negotiate\fP for enabling HTTP Negotiate (SPNEGO)
|
||||
with a remote host. (Added in 7.17.1)
|
||||
.IP "--proxy-ntlm"
|
||||
Tells curl to use HTTP NTLM authentication when communicating with the given
|
||||
@ -1518,7 +1512,7 @@ sockd/proxy-name --socks5 proxy-name \fI--socks5-gssapi-service\fP
|
||||
sockd/real-name would use sockd/real-name for cases where the proxy-name does
|
||||
not match the principal name. (Added in 7.19.4).
|
||||
.IP "--socks5-gssapi-nec"
|
||||
As part of the gssapi negotiation a protection mode is negotiated. RFC 1961
|
||||
As part of the GSS-API negotiation a protection mode is negotiated. RFC 1961
|
||||
says in section 4.3/4.4 it should be protected, but the NEC reference
|
||||
implementation does not. The option \fI--socks5-gssapi-nec\fP allows the
|
||||
unprotected exchange of the protection mode negotiation. (Added in 7.19.4).
|
||||
@ -1917,22 +1911,21 @@ HTTPS and FTPS are supported.
|
||||
Automatic decompression of compressed files over HTTP is supported.
|
||||
.IP "NTLM"
|
||||
NTLM authentication is supported.
|
||||
.IP "GSS-Negotiate"
|
||||
Negotiate authentication and krb5 for FTP is supported.
|
||||
.IP "Debug"
|
||||
This curl uses a libcurl built with Debug. This enables more error-tracking
|
||||
and memory debugging etc. For curl-developers only!
|
||||
.IP "AsynchDNS"
|
||||
This curl uses asynchronous name resolves.
|
||||
.IP "SPNEGO"
|
||||
SPNEGO Negotiate authentication is supported.
|
||||
SPNEGO authentication is supported.
|
||||
.IP "Largefile"
|
||||
This curl supports transfers of large files, files larger than 2GB.
|
||||
.IP "IDN"
|
||||
This curl supports IDN - international domain names.
|
||||
.IP "GSS-API"
|
||||
GSS-API is supported.
|
||||
.IP "SSPI"
|
||||
SSPI is supported. If you use Negotiate or NTLM authentication and set a blank
|
||||
user name, curl will authenticate with your current user and password.
|
||||
SSPI is supported.
|
||||
.IP "TLS-SRP"
|
||||
SRP (Secure Remote Password) authentication is supported for TLS.
|
||||
.IP "Metalink"
|
||||
|
@ -20,7 +20,7 @@
|
||||
.\" *
|
||||
.\" **************************************************************************
|
||||
.\"
|
||||
.TH curl_version_info 3 "18 Feb 2014" "libcurl 7.33.0" "libcurl Manual"
|
||||
.TH curl_version_info 3 "2 Aug 2014" "libcurl 7.38.0" "libcurl Manual"
|
||||
.SH NAME
|
||||
curl_version_info - returns run-time libcurl version info
|
||||
.SH SYNOPSIS
|
||||
@ -124,9 +124,14 @@ libcurl was built with support for IDNA, domain names with international
|
||||
letters. (Added in 7.12.0)
|
||||
.IP CURL_VERSION_SSPI
|
||||
libcurl was built with support for SSPI. This is only available on Windows and
|
||||
makes libcurl use Windows-provided functions for NTLM authentication. It also
|
||||
allows libcurl to use the current user and the current user's password without
|
||||
makes libcurl use Windows-provided functions for NTLM, SPNEGO and SASL DIGEST-MD5
|
||||
authentication. It also allows libcurl to use the current user credentials without
|
||||
the app having to pass them on. (Added in 7.13.2)
|
||||
.IP CURL_VERSION_GSSAPI
|
||||
libcurl was built with support for GSS-API. This makes libcurl use provided
|
||||
functions for Kerberos and SPNEGO authentication. It also allows libcurl
|
||||
to use the current user credentials without the app having to pass them on.
|
||||
(Added in 7.38.0)
|
||||
.IP CURL_VERSION_CONV
|
||||
libcurl was built with support for character conversions, as provided by the
|
||||
CURLOPT_CONV_* callbacks. (Added in 7.15.4)
|
||||
|
@ -20,7 +20,7 @@
|
||||
.\" *
|
||||
.\" **************************************************************************
|
||||
.\"
|
||||
.TH libcurl-tutorial 3 "4 Mar 2009" "libcurl" "libcurl programming"
|
||||
.TH libcurl-tutorial 3 "2 Aug 2014" "libcurl" "libcurl programming"
|
||||
.SH NAME
|
||||
libcurl-tutorial \- libcurl programming tutorial
|
||||
.SH "Objective"
|
||||
@ -442,7 +442,7 @@ authentication method is called 'Basic', which is sending the name and
|
||||
password in clear-text in the HTTP request, base64-encoded. This is insecure.
|
||||
|
||||
At the time of this writing, libcurl can be built to use: Basic, Digest, NTLM,
|
||||
Negotiate, GSS-Negotiate and SPNEGO. You can tell libcurl which one to use
|
||||
Negotiate (SPNEGO). You can tell libcurl which one to use
|
||||
with \fICURLOPT_HTTPAUTH(3)\fP as in:
|
||||
|
||||
curl_easy_setopt(easyhandle, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST);
|
||||
|
@ -20,7 +20,7 @@
|
||||
.\" *
|
||||
.\" **************************************************************************
|
||||
.\"
|
||||
.TH CURLOPT_HTTPAUTH 3 "19 Jun 2014" "libcurl 7.37.0" "curl_easy_setopt options"
|
||||
.TH CURLOPT_HTTPAUTH 3 "2 Aug 2014" "libcurl 7.38.0" "curl_easy_setopt options"
|
||||
.SH NAME
|
||||
CURLOPT_HTTPAUTH \- set HTTP server authentication methods to try
|
||||
.SH SYNOPSIS
|
||||
@ -56,14 +56,12 @@ defined in RFC2617 and is a more secure way to do authentication over public
|
||||
networks than the regular old-fashioned Basic method. The IE flavor is simply
|
||||
that libcurl will use a special "quirk" that IE is known to have used before
|
||||
version 7 and that some servers require the client to use.
|
||||
.IP CURLAUTH_GSSNEGOTIATE
|
||||
HTTP GSS-Negotiate authentication. The GSS-Negotiate (also known as plain
|
||||
\&"Negotiate") method was designed by Microsoft and is used in their web
|
||||
applications. It is primarily meant as a support for Kerberos5 authentication
|
||||
but may also be used along with other authentication methods. For more
|
||||
information see IETF draft draft-brezak-spnego-http-04.txt.
|
||||
.IP CURLAUTH_NEGOTIATE
|
||||
HTTP Negotiate (SPNEGO) authentication. Negotiate authentication is defined
|
||||
in RFC 4559 and is the most secure way to perform authentication over HTTP.
|
||||
|
||||
You need to build libcurl with a suitable GSS-API library for this to work.
|
||||
You need to build libcurl with a suitable GSS-API library or SSPI on Windows
|
||||
for this to work.
|
||||
.IP CURLAUTH_NTLM
|
||||
HTTP NTLM authentication. A proprietary protocol invented and used by
|
||||
Microsoft. It uses a challenge-response and hash concept similar to Digest, to
|
||||
|
@ -17,7 +17,7 @@ CURLAUTH_ANYSAFE 7.10.6
|
||||
CURLAUTH_BASIC 7.10.6
|
||||
CURLAUTH_DIGEST 7.10.6
|
||||
CURLAUTH_DIGEST_IE 7.19.3
|
||||
CURLAUTH_GSSNEGOTIATE 7.10.6
|
||||
CURLAUTH_GSSNEGOTIATE 7.10.6 7.38.0
|
||||
CURLAUTH_NEGOTIATE 7.38.0
|
||||
CURLAUTH_NONE 7.10.6
|
||||
CURLAUTH_NTLM 7.10.6
|
||||
|
Loading…
x
Reference in New Issue
Block a user