From 37f0e8a32cf9ad0a87f8c60cfa12b65e61be15a9 Mon Sep 17 00:00:00 2001 From: Michael Osipov <1983-01-06@gmx.net> Date: Sat, 2 Aug 2014 13:51:18 +0100 Subject: [PATCH] docs: Update SPNEGO and GSS-API related doc sections Reflect recent changes in SPNEGO and GSS-API code in the docs. Update them with appropriate namings and remove visible spots for GSS-Negotiate. --- docs/FAQ | 4 ++-- docs/FEATURES | 10 ++++---- docs/KNOWN_BUGS | 6 ++--- docs/MANUAL | 8 +++---- docs/curl.1 | 35 +++++++++++----------------- docs/libcurl/curl_version_info.3 | 11 ++++++--- docs/libcurl/libcurl-tutorial.3 | 4 ++-- docs/libcurl/opts/CURLOPT_HTTPAUTH.3 | 14 +++++------ docs/libcurl/symbols-in-versions | 2 +- 9 files changed, 46 insertions(+), 48 deletions(-) diff --git a/docs/FAQ b/docs/FAQ index 0850bd46a..55af84e4c 100644 --- a/docs/FAQ +++ b/docs/FAQ @@ -136,11 +136,11 @@ FAQ POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. libcurl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, - kerberos, HTTP form based upload, proxies, cookies, user+password + Kerberos, SPNEGO, HTTP form based upload, proxies, cookies, user+password authentication, file transfer resume, http proxy tunneling and more! libcurl is highly portable, it builds and works identically on numerous - platforms, including Solaris, NetBSD, FreeBSD, OpenBSD, Darwin, HPUX, + platforms, including Solaris, NetBSD, FreeBSD, OpenBSD, Darwin, HP-UX, IRIX, AIX, Tru64, Linux, UnixWare, HURD, Windows, Amiga, OS/2, BeOS, Mac OS X, Ultrix, QNX, OpenVMS, RISC OS, Novell NetWare, DOS, Symbian, OSF, Android, Minix, IBM TPF and more... diff --git a/docs/FEATURES b/docs/FEATURES index 53cd54f71..961013e94 100644 --- a/docs/FEATURES +++ b/docs/FEATURES @@ -45,8 +45,8 @@ HTTP - POST - Pipelining - multipart formpost (RFC1867-style) - - authentication: Basic, Digest, NTLM (*9), Negotiate (*3) and to server and - proxy + - authentication: Basic, Digest, NTLM (*9) and Negotiate (SPNEGO) (*3) + to server and proxy - resume (both GET and PUT) - follow redirects - maximum amount of redirects to follow @@ -78,7 +78,7 @@ FTP - download - authentication - kerberos4 (*5) - - kerberos5 (*3) + - Kerberos 5 (*14) - active/passive using PORT, EPRT, PASV or EPSV - single file size information (compare to HTTP HEAD) - 'type=' URL support @@ -180,7 +180,8 @@ FOOTNOTES *1 = requires OpenSSL, GnuTLS, NSS, yassl, axTLS, PolarSSL, WinSSL (native Windows), Secure Transport (native iOS/OS X) or qssl (native IBM i) *2 = requires OpenLDAP - *3 = requires a GSSAPI-compliant library, such as Heimdal or similar + *3 = requires a GSS-API implementation (such as Heimdal or MIT Kerberos) or + SSPI (native Windows) *4 = requires nghttp2 and possibly a recent TLS library *5 = requires a krb4 library, such as the MIT one or similar *6 = requires c-ares @@ -195,3 +196,4 @@ FOOTNOTES *12 = requires libz *13 = requires libmetalink, and either an Apple or Microsoft operating system, or OpenSSL, or GnuTLS, or NSS + *14 = requires a GSS-API implementation (such as Heimdal or MIT Kerberos) diff --git a/docs/KNOWN_BUGS b/docs/KNOWN_BUGS index 70e8566aa..409a17703 100644 --- a/docs/KNOWN_BUGS +++ b/docs/KNOWN_BUGS @@ -216,9 +216,9 @@ may have been fixed since this was written! acknowledged after the actual TCP connect (during the SOCKS "negotiate" phase). -10. To get HTTP Negotiate authentication to work fine, you need to provide a - (fake) user name (this concerns both curl and the lib) because the code - wrongly only considers authentication if there's a user name provided. +10. To get HTTP Negotiate (SPNEGO) authentication to work fine, you need to + provide a (fake) user name (this concerns both curl and the lib) because the + code wrongly only considers authentication if there's a user name provided. http://curl.haxx.se/bug/view.cgi?id=440 How? http://curl.haxx.se/mail/lib-2004-08/0182.html diff --git a/docs/MANUAL b/docs/MANUAL index 11960e1be..06b3abee5 100644 --- a/docs/MANUAL +++ b/docs/MANUAL @@ -108,10 +108,10 @@ USING PASSWORDS curl -u name:passwd http://machine.domain/full/path/to/file HTTP offers many different methods of authentication and curl supports - several: Basic, Digest, NTLM and Negotiate. Without telling which method to - use, curl defaults to Basic. You can also ask curl to pick the most secure - ones out of the ones that the server accepts for the given URL, by using - --anyauth. + several: Basic, Digest, NTLM and Negotiate (SPNEGO). Without telling which + method to use, curl defaults to Basic. You can also ask curl to pick the + most secure ones out of the ones that the server accepts for the given URL, + by using --anyauth. NOTE! According to the URL specification, HTTP URLs can not contain a user and password, so that style will not work when using curl via a proxy, even diff --git a/docs/curl.1 b/docs/curl.1 index ffd9e7c57..469ba9ad6 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH curl 1 "27 July 2012" "Curl 7.27.0" "Curl Manual" +.TH curl 1 "2 Aug 2014" "Curl 7.38.0" "Curl Manual" .SH NAME curl \- transfer a URL .SH SYNOPSIS @@ -827,9 +827,8 @@ If this option is used several times, the last one will be used. should be one of 'clear', 'safe', 'confidential', or 'private'. Should you use a level that is not one of these, 'private' will instead be used. -This option requires a library built with kerberos4 or GSSAPI -(GSS-Negotiate) support. This is not very common. Use \fI-V, --version\fP to -see if your curl supports it. +This option requires a library built with kerberos4 support. This is not +very common. Use \fI-V, --version\fP to see if your curl supports it. If this option is used several times, the last one will be used. .IP "-l, --list-only" @@ -1024,18 +1023,13 @@ Very similar to \fI--netrc\fP, but this option makes the .netrc usage \fBoptional\fP and not mandatory as the \fI--netrc\fP option does. .IP "--negotiate" -(HTTP) Enables GSS-Negotiate authentication. The GSS-Negotiate method was -designed by Microsoft and is used in their web applications. It is primarily -meant as a support for Kerberos5 authentication but may be also used along -with another authentication method. For more information see IETF draft -draft-brezak-spnego-http-04.txt. +(HTTP) Enables Negotiate (SPNEGO) authentication. -If you want to enable Negotiate for your proxy authentication, then use +If you want to enable Negotiate (SPNEGO) for proxy authentication, then use \fI--proxy-negotiate\fP. -This option requires a library built with GSSAPI support. This is -not very common. Use \fI-V, --version\fP to see if your version supports -GSS-Negotiate. +This option requires a library built with GSS-API or SSPI support. Use \fI-V, +--version\fP to see if your curl supports GSS-API/SSPI and SPNEGO. When using this option, you must also provide a fake \fI-u, --user\fP option to activate the authentication code properly. Sending a '-u :' is enough as the @@ -1254,8 +1248,8 @@ the default authentication method curl uses with proxies. Tells curl to use HTTP Digest authentication when communicating with the given proxy. Use \fI--digest\fP for enabling HTTP Digest with a remote host. .IP "--proxy-negotiate" -Tells curl to use HTTP Negotiate authentication when communicating -with the given proxy. Use \fI--negotiate\fP for enabling HTTP Negotiate +Tells curl to use HTTP Negotiate (SPNEGO) authentication when communicating +with the given proxy. Use \fI--negotiate\fP for enabling HTTP Negotiate (SPNEGO) with a remote host. (Added in 7.17.1) .IP "--proxy-ntlm" Tells curl to use HTTP NTLM authentication when communicating with the given @@ -1518,7 +1512,7 @@ sockd/proxy-name --socks5 proxy-name \fI--socks5-gssapi-service\fP sockd/real-name would use sockd/real-name for cases where the proxy-name does not match the principal name. (Added in 7.19.4). .IP "--socks5-gssapi-nec" -As part of the gssapi negotiation a protection mode is negotiated. RFC 1961 +As part of the GSS-API negotiation a protection mode is negotiated. RFC 1961 says in section 4.3/4.4 it should be protected, but the NEC reference implementation does not. The option \fI--socks5-gssapi-nec\fP allows the unprotected exchange of the protection mode negotiation. (Added in 7.19.4). @@ -1917,22 +1911,21 @@ HTTPS and FTPS are supported. Automatic decompression of compressed files over HTTP is supported. .IP "NTLM" NTLM authentication is supported. -.IP "GSS-Negotiate" -Negotiate authentication and krb5 for FTP is supported. .IP "Debug" This curl uses a libcurl built with Debug. This enables more error-tracking and memory debugging etc. For curl-developers only! .IP "AsynchDNS" This curl uses asynchronous name resolves. .IP "SPNEGO" -SPNEGO Negotiate authentication is supported. +SPNEGO authentication is supported. .IP "Largefile" This curl supports transfers of large files, files larger than 2GB. .IP "IDN" This curl supports IDN - international domain names. +.IP "GSS-API" +GSS-API is supported. .IP "SSPI" -SSPI is supported. If you use Negotiate or NTLM authentication and set a blank -user name, curl will authenticate with your current user and password. +SSPI is supported. .IP "TLS-SRP" SRP (Secure Remote Password) authentication is supported for TLS. .IP "Metalink" diff --git a/docs/libcurl/curl_version_info.3 b/docs/libcurl/curl_version_info.3 index e04376924..53f0495ad 100644 --- a/docs/libcurl/curl_version_info.3 +++ b/docs/libcurl/curl_version_info.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH curl_version_info 3 "18 Feb 2014" "libcurl 7.33.0" "libcurl Manual" +.TH curl_version_info 3 "2 Aug 2014" "libcurl 7.38.0" "libcurl Manual" .SH NAME curl_version_info - returns run-time libcurl version info .SH SYNOPSIS @@ -124,9 +124,14 @@ libcurl was built with support for IDNA, domain names with international letters. (Added in 7.12.0) .IP CURL_VERSION_SSPI libcurl was built with support for SSPI. This is only available on Windows and -makes libcurl use Windows-provided functions for NTLM authentication. It also -allows libcurl to use the current user and the current user's password without +makes libcurl use Windows-provided functions for NTLM, SPNEGO and SASL DIGEST-MD5 +authentication. It also allows libcurl to use the current user credentials without the app having to pass them on. (Added in 7.13.2) +.IP CURL_VERSION_GSSAPI +libcurl was built with support for GSS-API. This makes libcurl use provided +functions for Kerberos and SPNEGO authentication. It also allows libcurl +to use the current user credentials without the app having to pass them on. +(Added in 7.38.0) .IP CURL_VERSION_CONV libcurl was built with support for character conversions, as provided by the CURLOPT_CONV_* callbacks. (Added in 7.15.4) diff --git a/docs/libcurl/libcurl-tutorial.3 b/docs/libcurl/libcurl-tutorial.3 index 018001d7e..17f4c3ff5 100644 --- a/docs/libcurl/libcurl-tutorial.3 +++ b/docs/libcurl/libcurl-tutorial.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH libcurl-tutorial 3 "4 Mar 2009" "libcurl" "libcurl programming" +.TH libcurl-tutorial 3 "2 Aug 2014" "libcurl" "libcurl programming" .SH NAME libcurl-tutorial \- libcurl programming tutorial .SH "Objective" @@ -442,7 +442,7 @@ authentication method is called 'Basic', which is sending the name and password in clear-text in the HTTP request, base64-encoded. This is insecure. At the time of this writing, libcurl can be built to use: Basic, Digest, NTLM, -Negotiate, GSS-Negotiate and SPNEGO. You can tell libcurl which one to use +Negotiate (SPNEGO). You can tell libcurl which one to use with \fICURLOPT_HTTPAUTH(3)\fP as in: curl_easy_setopt(easyhandle, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST); diff --git a/docs/libcurl/opts/CURLOPT_HTTPAUTH.3 b/docs/libcurl/opts/CURLOPT_HTTPAUTH.3 index 3f0ab12ec..35d75aa50 100644 --- a/docs/libcurl/opts/CURLOPT_HTTPAUTH.3 +++ b/docs/libcurl/opts/CURLOPT_HTTPAUTH.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_HTTPAUTH 3 "19 Jun 2014" "libcurl 7.37.0" "curl_easy_setopt options" +.TH CURLOPT_HTTPAUTH 3 "2 Aug 2014" "libcurl 7.38.0" "curl_easy_setopt options" .SH NAME CURLOPT_HTTPAUTH \- set HTTP server authentication methods to try .SH SYNOPSIS @@ -56,14 +56,12 @@ defined in RFC2617 and is a more secure way to do authentication over public networks than the regular old-fashioned Basic method. The IE flavor is simply that libcurl will use a special "quirk" that IE is known to have used before version 7 and that some servers require the client to use. -.IP CURLAUTH_GSSNEGOTIATE -HTTP GSS-Negotiate authentication. The GSS-Negotiate (also known as plain -\&"Negotiate") method was designed by Microsoft and is used in their web -applications. It is primarily meant as a support for Kerberos5 authentication -but may also be used along with other authentication methods. For more -information see IETF draft draft-brezak-spnego-http-04.txt. +.IP CURLAUTH_NEGOTIATE +HTTP Negotiate (SPNEGO) authentication. Negotiate authentication is defined +in RFC 4559 and is the most secure way to perform authentication over HTTP. -You need to build libcurl with a suitable GSS-API library for this to work. +You need to build libcurl with a suitable GSS-API library or SSPI on Windows +for this to work. .IP CURLAUTH_NTLM HTTP NTLM authentication. A proprietary protocol invented and used by Microsoft. It uses a challenge-response and hash concept similar to Digest, to diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index 5cbeff091..d4ba61ae1 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -17,7 +17,7 @@ CURLAUTH_ANYSAFE 7.10.6 CURLAUTH_BASIC 7.10.6 CURLAUTH_DIGEST 7.10.6 CURLAUTH_DIGEST_IE 7.19.3 -CURLAUTH_GSSNEGOTIATE 7.10.6 +CURLAUTH_GSSNEGOTIATE 7.10.6 7.38.0 CURLAUTH_NEGOTIATE 7.38.0 CURLAUTH_NONE 7.10.6 CURLAUTH_NTLM 7.10.6