我们有一个使用 Kerberos-SSO 的 Jenkins 服务器,如果浏览器上未配置 SSO 或未使用,则会回退到 Basic curl。
但是,当我使用带有参数的 curl 时--negotiate,即使服务器明确发送了 www-authenticate 协商标头,它也不会在被要求提供基本凭据信息时发送它。
使用的命令:
curl --verbose --negotiate --basic --user "username":"password" myserver.mycompany.com
* About to connect() to myserver.mycompany.com port 443 (#0)
* Trying 10.5.24.212...
* Connected to myserver.mycompany.com (10.5.24.212) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=*.mycompany.com,O=MyCompany International,L=New York,ST=New York,C=US
* start date: Aug 31 17:14:45 2020 GMT
* expire date: Aug 31 17:14:45 2022 GMT
* common name: *.mycompany.com
* issuer: CN=MyCompany Intermediate CA 3,DC=ad,DC=mycompany,DC=com
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: myserver.mycompany.com
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< date: Thu, 01 Oct 2020 16:04:44 GMT
< server: Apache
< set-cookie: gssapi_session=;Max-Age=0;path=/;httponly;
< www-authenticate: Negotiate
< www-authenticate: Basic realm="MyCompany SSO"
< cache-control: no-cache
< set-cookie: gssapi_session=;Max-Age=0;path=/;httponly;
< content-length: 381
< content-type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host myserver.mycompany.com left intact
* Issue another request to this URL: 'https://myserver.mycompany.com/'
* Found bundle for host myserver.mycompany.com: 0xe8ef50
* Re-using existing connection! (#0) with host myserver.mycompany.com
* Connected to myserver.mycompany.com (10.5.24.212) port 443 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: myserver.mycompany.com
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< date: Thu, 01 Oct 2020 16:04:44 GMT
< server: Apache
< set-cookie: gssapi_session=;Max-Age=0;path=/;httponly;
* gss_init_sec_context() failed: : No Kerberos credentials available (default cache: KEYRING:persistent:0)
< www-authenticate: Negotiate
< www-authenticate: Basic realm="MyCompany SSO"
< cache-control: no-cache
< set-cookie: gssapi_session=;Max-Age=0;path=/;httponly;
< content-length: 381
< content-type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
卷曲信息:
$ curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.44 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets