http: warn if might have failed because of NTLM

The new default of Git is to disable NTLM authentication by default. To help users find the escape hatch of that config setting, should they need it, suggest it when the authentication failed and the server had offered NTLM, i.e. if re-enabling it would fix the problem. Helped-by: Patrick Steinhardt <ps@pks.im> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2026-04-09 06:51:56 -05:00 · 2025-11-26 19:18:35 +01:00
parent 373fc5b97b
commit 9f3207be86
2 changed files with 13 additions and 1 deletions
--- a/http.c
+++ b/http.c
@@ -1900,6 +1900,17 @@ static int handle_curl_result(struct slot_results *results)
 			credential_reject(the_repository, &http_auth);
 			if (always_auth_proactively())
 				http_proactive_auth = PROACTIVE_AUTH_NONE;
+			if ((results->auth_avail & CURLAUTH_NTLM) &&
+			    !(http_auth_any & CURLAUTH_NTLM)) {
+				warning(_("Due to its cryptographic weaknesses, "
+					  "NTLM authentication has been\n"
+					  "disabled in Git by default. You can "
+					  "re-enable it for trusted servers\n"
+					  "by running:\n\n"
+					  "git config set "
+					  "http.%s://%s.allowNTLMAuth true"),
+					http_auth.protocol, http_auth.host);
+			}
 			return HTTP_NOAUTH;
 		} else {
 			http_auth_methods &= ~CURLAUTH_GSSNEGOTIATE;
--- a/t/t5563-simple-http-auth.sh
+++ b/t/t5563-simple-http-auth.sh
@@ -731,7 +731,8 @@ test_expect_success NTLM 'access using NTLM auth' '

 	test_config_global credential.helper test-helper &&
 	test_must_fail env GIT_TRACE_CURL=1 git \
-		ls-remote "$HTTPD_URL/ntlm_auth/repo.git" &&
+		ls-remote "$HTTPD_URL/ntlm_auth/repo.git" 2>err &&
+	test_grep "allowNTLMAuth" err &&
 	GIT_TRACE_CURL=1 git -c http.$HTTPD_URL.allowNTLMAuth=true \
 		ls-remote "$HTTPD_URL/ntlm_auth/repo.git"
 '