Implementing support for NTLM authentication

Ezra.Smith at bentley.com Ezra.Smith at bentley.com
Tue Oct 30 16:40:44 CDT 2007


Hi all,

I figured this is probably more suited to the dev mailing list than the
general one.

We're trying to move away from cvsnt where I work. One of the features
we really like about cvsnt is its support for Microsoft's NTLM (NT
LanManager) authentication. It's convenient in a Windows-only
environment because a user's current login credentials (what he/she
logged into the workstation with) can be used to validate access to the
CVS server, without the need to type another password. When I do a "cvs
diff blah.c", the CVS server knows who I am and knows if I should really
have access to blah.c.

We'd like to extend this behavior to Mercurial. We're hosting
repositories on a Microsoft IIS server, and the server itself has
support for NTLM authentication. With NTLM enabled, I can restrict
access to the server quite nicely...if I try to view the repository with
my web browser, a challenge/response goes back and forth through HTTP
headers, and then I'm authenticated and can view the contents of the
repo. So far, so good.

As you're all probably aware, Mercurial doesn't recognize the NTLM
challenge, and won't be granted access to the web server when trying to
clone, push, pull, etc.

As part of integrating Mercurial into our work environment, I'm going to
be implementing support for NTLM within Mercurial. The technical side of
the challenge/response isn't an issue; the PyWin32 API on Windows
implements enough Windows security stuff to handle the task. What I'd
really like to know is:

How should I implement this? As an extension? As a patch?

An extension seems ideal, given that I doubt most Mercurial users will
even care about this functionality, and those who aren't running Windows
probably won't want it (side note: ntlm can be implemented on *nix
systems, too, but requires that you actually type a password when
authenticating, which defeats the convenience factor). Unfortunately,
I'm not so sure that an extension is the right idea, given that I want
"hg clone," "hg pull," etc to work as normal, with some extra
authentication stuff if the web server responds with an NTLM challenge.
Is it feasible for an extension to overwrite an actual function inside
of mercurial, and if so, is that really a safe way to go about things?

The other alternative would be creating a patch that enables NTLM
authentication. It feels less elegant to me than a nice extension that
can be plugged in on systems where NTLM is in use...but if an extension
won't work, it looks like the only alternative.

Of course, in a perfect world, I'd really just like to write a patch and
have it become part of the standard Mercurial distribution (the less we
have to keep patches on top of the standard distribution, the happier
we'll be here)...but as far as I can tell, nobody on the general mailing
lists has even asked about this kind of thing, and I don't know how much
of a desired feature it is outside of my workplace.

Thanks,
-Ezra 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://selenic.com/pipermail/mercurial-devel/attachments/20071030/3aeaa52b/attachment.htm 


More information about the Mercurial-devel mailing list