<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.26.3">
</HEAD>
<BODY>
On Wed, 2009-07-29 at 15:45 -0500, Marc Powell wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
On Jul 29, 2009, at 2:09 PM, Jim McNamara wrote:
> Thanks for that help. Unfortunately it leads to some unusual
> results. Both authenticating from firefox on a windows host and on
> the CLI from the linux server show the same credentials being
> passed, as shown here:
>
> (Windows)
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:
> 1.9.0.12) Gecko/2009070611 Firefox/3.0.12\r\n
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
> *;q=0.8\r\n
> Accept-Language: en-us,en;q=0.5\r\n
> Accept-Encoding: gzip,deflate\r\n
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n
> Keep-Alive: 300\r\n
> Connection: keep-alive\r\n
> Authorization: Basic OnJlYm9vdA==\r\n
> Credentials: :reboot
> \r\n
>
> (Linux)
> GET / HTTP/1.0\r\n
> User-Agent: check_http/v2053 (nagios-plugins 1.4.13)\r\n
> Connection: close\r\n
> Authorization: Basic OnJlYm9vdA==\r\n
> Credentials: :reboot
> \r\n
>
> So both agents pass the correct info to the unit, but something
> clearly doesn't behave well.
I agree. Both translate to the same string.
> I do see a fair amount of javascript in the windows capture after
> the authentication, could that be part of the issue?
No. I am presuming the javascript is being sent in response to the
successful auth.
> Also the "Connection: close\r\n sent by check_http has me wondering
> if is closing the stream before some of the authentication is
> completed?
No, that's just telling the server that it can close the connection
after sending the response. That response should be the HTML of the
page after successful auth. That's standard HTTP and they shouldn't be
bombing based on that.
> I have both captures from tshark and wireshark saved if seeing the
> full info would be any help.
Probably not. It certainly appears that this device is requiring
something more than just Basic authentication. It may be looking at
User-Agent or some other header and rejecting if it's not there or
something unexpected. You might try adding a -A to change the user-
agent to match the one above and/or one or more -k headers to see what
that extra bit might be. Other than that, your best source of what
they're really looking for is going to be the manufacturer unless they
happen to provide the source (yeah, right....).
--
Marc
</PRE>
</BLOCKQUOTE>
<BR>
Thanks again Marc.<BR>
<BR>
Just adding the -A modifier didn't produce any change, and I've been trying to add -k to perfectly mimic the strings sent by firefox. The problem is -A has no problem sending semicolons or asterisks as long as the whole string is in quotes, but -k fails at either of those chars. Here's some output - <BR>
<BR>
/usr/local/nagios/libexec/check_http -I 192.168.150.11 -a :reboot -A"Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv: 1.9.0.12) Gecko/2009070611 Firefox/3.0.12" -k"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" -v<BR>
GET / HTTP/1.0<BR>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv: 1.9.0.12) Gecko/2009070611 Firefox/3.0.12<BR>
Connection: close<BR>
Accept: text/html,application/xhtml+xml,application/xml<BR>
q=0.9,*/*<BR>
q=0.8\r\n<BR>
Authorization: Basic OnJlYm9vdA==<BR>
<BR>
<BR>
http://192.168.150.11:80/ is 97 characters<BR>
STATUS: HTTP/1.0 401 Not Authorized<BR>
**** HEADER ****<BR>
WWW-Authenticate: Basic realm="iBoot"<BR>
**** CONTENT ****<BR>
<html><h2>Error</h2></html><BR>
HTTP WARNING: HTTP/1.0 401 Not Authorized<BR>
<BR>
It seems the semicolon breaks up the header, and neither backslashing or using single quotes in place of the quotation marks in my example made any difference. What is the right way to get the full header sent including special chars?<BR>
<BR>
Additionally, I saw the GET command from firefox was 1.1, and GET from check_http is 1.0. I don't know if that is a problem, but wireshark shows a GET v1.0 as "Continuation or non-HTTP traffic". Can the get command either be changed to 1.1 or masked to appear as if it was 1.1?<BR>
<BR>
Thanks again to all.
</BODY>
</HTML>