[issue2954] Mercurial retries push with invalid credentials too many times, can cause account lockout

Aaron Jensen bugs at mercurial.selenic.com
Fri Aug 12 19:26:49 CDT 2011 

New submission from Aaron Jensen <ajensen at webmd.net>:

Our repository requires authorization to push (using the allow_push configuration option in hgrc) 
and authenticates against our corporate, Windows domain.  The repository is hosted on Windows 2008, 
under IIS 7.0.  We are using Mercurial 1.8.3.

If a user accidentally fat-fingers his password, Mercurial re-tries the push with the bad password 
six times [1].  Our corporate policy locks out accounts after 5 failed login attempts.  A developer 
then has to wait 20 minutes for his account to unlock to retry the push.

I would expect that Mercurial would make one attempt (i.e. one HTTP request) to push, then either 
fail, or re-prompt the user for his password.


# Steps to Reproduce
1. Setup a Mercurial repository that requires credentials to push.  Make sure the credentials are 
on a Windows machine or domain.  Set the failed lockout attempts to 6 or less.
2. Push to the repo.  Use an invalid password.
3. Note that the Windows account is now locked out.


[1] Here is the relevant portion of the `hg -f --debug push` output which shows the extra HTTP 
requests.  I've masked my company's domain, my username, and our repository's server name.
http authorization required
realm: ****
user: *******
password:
http auth: user *******, password ****
using auth.all.* for authentication
********************* certificate successfully verified
sending: 0 kb
sending: 0 kb
http auth: user *******, password ****
using auth.all.* for authentication
********************* certificate successfully verified
sending: 1 kb
sending: 1 kb
http auth: user *******, password ****
using auth.all.* for authentication
********************* certificate successfully verified
sending: 1 kb
sending: 1 kb
http auth: user *******, password ****
using auth.all.* for authentication
********************* certificate successfully verified
sending: 1 kb
sending: 1 kb
http auth: user *******, password ****
using auth.all.* for authentication
********************* certificate successfully verified
sending: 2 kb
sending: 2 kb
http auth: user *******, password ****
using auth.all.* for authentication
********************* certificate successfully verified
sending: 2 kb
sending: 2 kb
abort: authorization failed

----------
messages: 17126
nosy: splatteredbits
priority: bug
status: unread
title: Mercurial retries push with invalid credentials too many times, can cause account lockout

____________________________________________________
Mercurial issue tracker <bugs at mercurial.selenic.com>
<http://mercurial.selenic.com/bts/issue2954>
____________________________________________________

More information about the Mercurial-devel mailing list