http: warn if might have failed because of NTLM

The new default of Git is to disable NTLM authentication by default.

To help users find the escape hatch of that config setting, should they
need it, suggest it when the authentication failed and the server had
offered NTLM, i.e. if re-enabling it would fix the problem.

Helped-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Author: dscho

http.c

@@ -1915,6 +1915,17 @@ static int handle_curl_result(struct slot_results *results)
 			credential_reject(&http_auth);
 			if (always_auth_proactively())
 				http_proactive_auth = PROACTIVE_AUTH_NONE;
+			if ((results->auth_avail & CURLAUTH_NTLM) &&
+			    !(http_auth_any & CURLAUTH_NTLM)) {
+				warning(_("Due to its cryptographic weaknesses, "
+					  "NTLM authentication has been\n"
+					  "disabled in Git by default. You can "
+					  "re-enable it for trusted servers\n"
+					  "by running:\n\n"
+					  "git config set "
+					  "http.%s://%s.allowNTLMAuth true"),
+					http_auth.protocol, http_auth.host);
+			}
 			return HTTP_NOAUTH;
 		} else {
 			http_auth_methods &= ~CURLAUTH_GSSNEGOTIATE;

t/t5563-simple-http-auth.sh

@@ -687,7 +687,8 @@ test_expect_success NTLM 'access using NTLM auth' '
 
 	test_config_global credential.helper test-helper &&
 	test_must_fail env GIT_TRACE_CURL=1 git \
-		ls-remote "$HTTPD_URL/ntlm_auth/repo.git" &&
+		ls-remote "$HTTPD_URL/ntlm_auth/repo.git" 2>err &&
+	test_grep "allowNTLMAuth" err &&
 	GIT_TRACE_CURL=1 git -c http.$HTTPD_URL.allowNTLMAuth=true \
 		ls-remote "$HTTPD_URL/ntlm_auth/repo.git"
 '