Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
http authentication bug after daa8 commit?
2016-12-28, 13:24
Post: #1
http authentication bug after daa8 commit?
I'm trying to use HTTP Digest authentication using login example from http://ipxe.org/cmd/login, using the standard iso build

Code:
login
chain http://${username:uristring}:${password:uristring}@my.web.server/boot.ipxe

But the chain command returns with "Permission denied (http://ipxe.org/020c613c)

I thought that it could be a problem with the web server, but when I try the same URL in a browser or using 'wget' (with user and password options) it works without problems.

I used tshark to review the network, and I can see that:
- The iPXE client sends an HTTP get, and the server answers with a 401 reply
- The iPXE client then sends another HTTP with the user and password information, and the server replies with a 200 OK and the contents of the file

But even with the server sending the correct information, the iPXE client shows the "Permission denied" error.

I've tested this problem with Basic and Digest authentication.

Looking for information in the forums I've found that the HTTP Authentication was working, but that it has failed lately to at least another user (http://lists.ipxe.org/pipermail/ipxe-dev...05263.html) with the same symptoms (401 followed by 200 and still an error).

I've started to test older iso.pxe builds (downloaded from rom-o-matic), using Ctrl-b to enter the iPXE shell and then running:

Code:
dhcp
initrd http://user:hello@my.server/protected/file.ipxe

And I've found that with the commit

- https://git.ipxe.org/ipxe.git/commit/b99...d1e63230c9 (Disable TIVOLI_VMM_WORKAROUND in the qemu configuration) HTTP authentication worked OK
- but with the next build https://git.ipxe.org/ipxe.git/commit/daa...2c98b0a11a (Provide intf_reinit() to reinitialise nullified interfaces) the HTTP Authentication didn't work.

Please, could someone test this behaviour?

I reverted some changes in the httpcore.c and interface.c from the daa8 commit. Then recompiled the iso.pxe and it worked. It seems to be a problem with the http->content not being cleaned between the 401 and the 200 responses, but I really don't have the expertise with the code to provide a patch.

Will continue to use the b991 code by now.

And thanks for this fantastic project: it's incredible what you can achieve with it, and is been really a pleasure to work with.
Find all posts by this user
Quote this message in a reply
2017-01-02, 11:48
Post: #2
RE: http authentication bug after daa8 commit?
There was a patch recently that made it possible to disable the Tivoli workaround with a configuration change. You might want to try it with the Tivoli workaround disabled.
Visit this user's website Find all posts by this user
Quote this message in a reply
2017-01-03, 01:38
Post: #3
RE: http authentication bug after daa8 commit?
(2017-01-02 11:48)robinsmidsrod Wrote:  There was a patch recently that made it possible to disable the Tivoli workaround with a configuration change. You might want to try it with the Tivoli workaround disabled.

There is no problem with the Tivoli workaround. It's the next commit "Provide intf_reinit() to reinitialise nullified interfaces" (https://git.ipxe.org/ipxe.git/commit/daa...2c98b0a11a) the one that introduces the bug.

After the "Provide intf_reinit() to reinitialise nullified interfaces" commit, the HTTP request always return with the the "Permission denied" error.
Find all posts by this user
Quote this message in a reply
2017-01-31, 23:00
Post: #4
RE: http authentication bug after daa8 commit?
Same issue here. Always get permission denied even when using correct URIs
Find all posts by this user
Quote this message in a reply
2017-02-02, 22:36
Post: #5
RE: http authentication bug after daa8 commit?
I think mcb30 pushed a fix for this a few hours ago: https://git.ipxe.org/ipxe.git/commit/4a4...1c15d1730e

Use GitHub Discussions
VRAM bin
Visit this user's website Find all posts by this user
Quote this message in a reply
2017-02-03, 15:32
Post: #6
RE: http authentication bug after daa8 commit?
Tested with undionly.kpxe and ipxe.pxe. Working OK.

Thanks!!
Find all posts by this user
Quote this message in a reply
Post Reply 




User(s) browsing this thread: 1 Guest(s)