From 03398c03d8a196b59d0cbdf98df8564306cf2747 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Wed, 26 Nov 2025 19:18:35 +0100 Subject: [PATCH] http: warn if might have failed because of NTLM The new default of Git is to disable NTLM authentication by default. To help users find the escape hatch of that config setting, should they need it, suggest it when the authentication failed and the server had offered NTLM, i.e. if re-enabling it would fix the problem. Helped-by: Patrick Steinhardt Signed-off-by: Johannes Schindelin --- http.c | 11 +++++++++++ t/t5563-simple-http-auth.sh | 3 ++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/http.c b/http.c index b5450d2512..cd6acab040 100644 --- a/http.c +++ b/http.c @@ -1962,6 +1962,17 @@ static int handle_curl_result(struct slot_results *results) credential_reject(the_repository, &http_auth); if (always_auth_proactively()) http_proactive_auth = PROACTIVE_AUTH_NONE; + if ((results->auth_avail & CURLAUTH_NTLM) && + !(http_auth_any & CURLAUTH_NTLM)) { + warning(_("Due to its cryptographic weaknesses, " + "NTLM authentication has been\n" + "disabled in Git by default. You can " + "re-enable it for trusted servers\n" + "by running:\n\n" + "git config set " + "http.%s://%s.allowNTLMAuth true"), + http_auth.protocol, http_auth.host); + } return HTTP_NOAUTH; } else { if (curl_empty_auth == -1 && diff --git a/t/t5563-simple-http-auth.sh b/t/t5563-simple-http-auth.sh index 822d64ed5e..303f858964 100755 --- a/t/t5563-simple-http-auth.sh +++ b/t/t5563-simple-http-auth.sh @@ -731,7 +731,8 @@ test_expect_success NTLM 'access using NTLM auth' ' test_config_global credential.helper test-helper && test_must_fail env GIT_TRACE_CURL=1 git \ - ls-remote "$HTTPD_URL/ntlm_auth/repo.git" && + ls-remote "$HTTPD_URL/ntlm_auth/repo.git" 2>err && + test_grep "allowNTLMAuth" err && GIT_TRACE_CURL=1 git -c http.$HTTPD_URL.allowNTLMAuth=true \ ls-remote "$HTTPD_URL/ntlm_auth/repo.git" '