[issue2954] Mercurial retries push with invalid credentials too many times, can cause account lockout
Aaron Jensen
bugs at mercurial.selenic.com
Fri Aug 12 19:26:49 CDT 2011
New submission from Aaron Jensen <ajensen at webmd.net>:
Our repository requires authorization to push (using the allow_push configuration option in hgrc)
and authenticates against our corporate, Windows domain. The repository is hosted on Windows 2008,
under IIS 7.0. We are using Mercurial 1.8.3.
If a user accidentally fat-fingers his password, Mercurial re-tries the push with the bad password
six times [1]. Our corporate policy locks out accounts after 5 failed login attempts. A developer
then has to wait 20 minutes for his account to unlock to retry the push.
I would expect that Mercurial would make one attempt (i.e. one HTTP request) to push, then either
fail, or re-prompt the user for his password.
# Steps to Reproduce
1. Setup a Mercurial repository that requires credentials to push. Make sure the credentials are
on a Windows machine or domain. Set the failed lockout attempts to 6 or less.
2. Push to the repo. Use an invalid password.
3. Note that the Windows account is now locked out.
[1] Here is the relevant portion of the `hg -f --debug push` output which shows the extra HTTP
requests. I've masked my company's domain, my username, and our repository's server name.
http authorization required
realm: ****
user: *******
password:
http auth: user *******, password ****
using auth.all.* for authentication
********************* certificate successfully verified
sending: 0 kb
sending: 0 kb
http auth: user *******, password ****
using auth.all.* for authentication
********************* certificate successfully verified
sending: 1 kb
sending: 1 kb
http auth: user *******, password ****
using auth.all.* for authentication
********************* certificate successfully verified
sending: 1 kb
sending: 1 kb
http auth: user *******, password ****
using auth.all.* for authentication
********************* certificate successfully verified
sending: 1 kb
sending: 1 kb
http auth: user *******, password ****
using auth.all.* for authentication
********************* certificate successfully verified
sending: 2 kb
sending: 2 kb
http auth: user *******, password ****
using auth.all.* for authentication
********************* certificate successfully verified
sending: 2 kb
sending: 2 kb
abort: authorization failed
----------
messages: 17126
nosy: splatteredbits
priority: bug
status: unread
title: Mercurial retries push with invalid credentials too many times, can cause account lockout
____________________________________________________
Mercurial issue tracker <bugs at mercurial.selenic.com>
<http://mercurial.selenic.com/bts/issue2954>
____________________________________________________
More information about the Mercurial-devel
mailing list