From: Klemens Nanni <kn@openbsd.org>
Subject: Re: Support for basic auth in HTTP Server answer
To: tech@openbsd.org
Date: Sun, 26 Oct 2025 12:26:55 +0000

23.10.2025 22:22, Chris Narkiewicz пишет:
> Hello, I'm posting this patch again, after 7.8 release cycle completed
> and hopefully the tolerance for riskier changes is back.
> 
> I'm currently experimenting with autoinstall over HTTP in
> not-so-secure environment. The installer allows me to fetch
> auto_install.conf using basic auth, but
> 
>     HTTP Server?
> 
> question does not accept servers with basic auth credentials,
> preventing me from putting any sensitve data in siteXY.tgz archives.
> This limitation doesn't affect autoinstall config and disklabel
> URLs, only sets.
> 
> This patch allowed me to download file sets from basic-auth
> protected server:

If you don't want to serve to untrusted parties...

> 
> --- distrib/miniroot/install.sub.orig	Wed Sep 17 02:22:11 2025
> +++ distrib/miniroot/install.sub	Wed Sep 17 02:23:23 2025
> @@ -1925,7 +1925,7 @@
>  			HTTP_SERVER=${1%%/*}
>  			# Repeat loop to get user to confirm server address.
>  			;;
> -		?(http?(s)://)+([A-Za-z0-9:.\[\]%_-]))
> +               ?(http?(s)://)?(+(+([A-Za-z0-9:-_])@))+([A-Za-z0-9:.\[\]%_-]))
>  			case $resp in
>  			https://*)	_tls=force _http_proto=https;;
>  			http://*)	_tls=no    _http_proto=http;;
> 
> 
> Breaking it down:
> 
> orig:   ?(http?(s)://)........................+([A-Za-z0-9:.\[\]%_-]))
> auth:                 ?(+(+([A-Za-z0-9:-_])@))
> final:  ?(http?(s)://)?(+(+([A-Za-z0-9:-_])@))+([A-Za-z0-9:.\[\]%_-]))

Could use [:alnum:] for readability.

> 
> Although my basic auth pattern is not completely strict, current host
> pattern is not bullet-proof either. Including A-Za-z0-9 allows me to
> pick reasonably secure secret.

Seems fine.
  
>     server "install.example.com" {
>         listen on 0.0.0.0 port 8080
>         
>         root "/install.example.com"
>         directory index "index.html"
>         
>         location "/sets/*" {
>             directory auto index
>             root "/install.example.com/sets/"
>             request strip 1
>             authenticate with "/install.example.com/htpasswd"
>         }
>     }
> 5. When prompted for HTTP Server? I provided http://user:pass@100.64.1.2:8080/sets
... why would you let them read your credentials like that?

Basic auth only makes sense to me here when enforcing TLS.