generic: ask if NTLM support should be enabled

In addressing CVE-2025-66413, Git for Windows has decided to disable
NTLM support by default (very sensible!).

When NTLM is detected, but not permitted by Git, we get the following
input from Git:

```
ntlm=suppressed
```

When we see this, we show a warning to the user that NTLM has been
disabled in Git and ask them what they'd like to do.

We have a few options:

  1) Do nothing - no NTLM enabled.

  2) Re-enable NTLM just this once.
     If we echo back to Git `ntlm=allow` then it will permit NTLM again,
     for this specific request.

  3) Re-enable NTLM permanently for this remote.
     If we set `http.<URL>.allowNTLMAuth` to `true` then Git will no
     longer prevent NTLM for that remote.

Present these options, along with a warning about NTLM's insecure
nature, with links for more information.

Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>

Author: mjcheetham

src/shared/Core.Tests/GenericHostProviderTests.cs

@@ -190,6 +190,136 @@ public async Task GenericHostProvider_CreateCredentialAsync_WiaNotSupported_Retu
             await TestCreateCredentialAsync_ReturnsBasicCredential(WindowsAuthenticationTypes.None);
         }
 
+        [WindowsFact]
+        private static async Task GenericHostProvider_NtlmSuppressed_AllowOnce()
+        {
+            var input = new InputArguments(new Dictionary<string, string>
+            {
+                ["protocol"] = "https",
+                ["host"]     = "example.com",
+                [Constants.CredentialProtocol.NtlmKey] = Constants.CredentialProtocol.NtlmSuppressed,
+            });
+
+            var configKey =
+                $"{Constants.GitConfiguration.Http.SectionName}.https://example.com.{Constants.GitConfiguration.Http.AllowNtlmAuth}";
+
+            var context = new TestCommandContext();
+            context.Git.Configuration.Global.Clear();
+
+            var basicAuthMock = new Mock<IBasicAuthentication>();
+            basicAuthMock.Setup(x => x.GetCredentialsAsync(It.IsAny<string>(), It.IsAny<string>()))
+                .Verifiable();
+            var wiaAuthMock = new Mock<IWindowsIntegratedAuthentication>();
+            wiaAuthMock.Setup(x => x.GetAuthenticationTypesAsync(It.IsAny<Uri>()))
+                .ReturnsAsync(WindowsAuthenticationTypes.Ntlm);
+            wiaAuthMock.Setup(x => x.AskEnableNtlmAsync(It.IsAny<Uri>()))
+                .ReturnsAsync(NtlmSupport.Once);
+            var oauthMock = new Mock<IOAuthAuthentication>();
+
+            var provider = new GenericHostProvider(context, basicAuthMock.Object, wiaAuthMock.Object, oauthMock.Object);
+
+            var result = await provider.GenerateCredentialAsync(input);
+            ICredential credential = result.Credential;
+
+            Assert.NotNull(credential);
+            Assert.Equal(string.Empty, credential.Account);
+            Assert.Equal(string.Empty, credential.Password);
+            Assert.True(result.AdditionalProperties.TryGetValue(Constants.CredentialProtocol.NtlmKey, out string ntlmValue));
+            Assert.Equal(Constants.CredentialProtocol.NtlmAllow, ntlmValue);
+
+            wiaAuthMock.Verify(x => x.AskEnableNtlmAsync(It.IsAny<Uri>()), Times.Once);
+            basicAuthMock.Verify(x => x.GetCredentialsAsync(It.IsAny<string>(), It.IsAny<string>()), Times.Never);
+
+            Assert.False(context.Git.Configuration.Global.TryGetValue(configKey, out _));
+        }
+
+        [WindowsFact]
+        private static async Task GenericHostProvider_NtlmSuppressed_AllowAlways()
+        {
+            var input = new InputArguments(new Dictionary<string, string>
+            {
+                ["protocol"] = "https",
+                ["host"]     = "example.com",
+                [Constants.CredentialProtocol.NtlmKey] = Constants.CredentialProtocol.NtlmSuppressed,
+            });
+
+            var configKey =
+                $"{Constants.GitConfiguration.Http.SectionName}.https://example.com.{Constants.GitConfiguration.Http.AllowNtlmAuth}";
+
+            var context = new TestCommandContext();
+            context.Git.Configuration.Global.Clear();
+
+            var basicAuthMock = new Mock<IBasicAuthentication>();
+            basicAuthMock.Setup(x => x.GetCredentialsAsync(It.IsAny<string>(), It.IsAny<string>()))
+                .Verifiable();
+            var wiaAuthMock = new Mock<IWindowsIntegratedAuthentication>();
+            wiaAuthMock.Setup(x => x.GetAuthenticationTypesAsync(It.IsAny<Uri>()))
+                .ReturnsAsync(WindowsAuthenticationTypes.Ntlm);
+            wiaAuthMock.Setup(x => x.AskEnableNtlmAsync(It.IsAny<Uri>()))
+                .ReturnsAsync(NtlmSupport.Always);
+            var oauthMock = new Mock<IOAuthAuthentication>();
+
+            var provider = new GenericHostProvider(context, basicAuthMock.Object, wiaAuthMock.Object, oauthMock.Object);
+
+            var result = await provider.GenerateCredentialAsync(input);
+            ICredential credential = result.Credential;
+
+            Assert.NotNull(credential);
+            Assert.Equal(string.Empty, credential.Account);
+            Assert.Equal(string.Empty, credential.Password);
+            Assert.True(result.AdditionalProperties.TryGetValue(Constants.CredentialProtocol.NtlmKey, out string ntlmValue));
+            Assert.Equal(Constants.CredentialProtocol.NtlmAllow, ntlmValue);
+
+            wiaAuthMock.Verify(x => x.AskEnableNtlmAsync(It.IsAny<Uri>()), Times.Once);
+            basicAuthMock.Verify(x => x.GetCredentialsAsync(It.IsAny<string>(), It.IsAny<string>()), Times.Never);
+
+            Assert.True(context.Git.Configuration.Global.TryGetValue(configKey, out IList<string> configValues));
+            string configValue = Assert.Single(configValues);
+            Assert.True(configValue.IsTruthy());
+        }
+
+        [WindowsFact]
+        private static async Task GenericHostProvider_NtlmSuppressed_Disabled()
+        {
+            var input = new InputArguments(new Dictionary<string, string>
+            {
+                ["protocol"] = "https",
+                ["host"]     = "example.com",
+                [Constants.CredentialProtocol.NtlmKey] = Constants.CredentialProtocol.NtlmSuppressed,
+            });
+
+            var configKey =
+                $"{Constants.GitConfiguration.Http.SectionName}.https://example.com.{Constants.GitConfiguration.Http.AllowNtlmAuth}";
+
+            var context = new TestCommandContext();
+            context.Git.Configuration.Global.Clear();
+
+            var basicAuthMock = new Mock<IBasicAuthentication>();
+            basicAuthMock.Setup(x => x.GetCredentialsAsync(It.IsAny<string>(), It.IsAny<string>()))
+                .ReturnsAsync(new GitCredential("testUser", "testPassword"));
+            var wiaAuthMock = new Mock<IWindowsIntegratedAuthentication>();
+            wiaAuthMock.Setup(x => x.GetAuthenticationTypesAsync(It.IsAny<Uri>()))
+                .ReturnsAsync(WindowsAuthenticationTypes.Ntlm);
+            wiaAuthMock.Setup(x => x.AskEnableNtlmAsync(It.IsAny<Uri>()))
+                .ReturnsAsync(NtlmSupport.Disabled);
+            var oauthMock = new Mock<IOAuthAuthentication>();
+
+            var provider = new GenericHostProvider(context, basicAuthMock.Object, wiaAuthMock.Object, oauthMock.Object);
+
+            var result = await provider.GenerateCredentialAsync(input);
+            ICredential credential = result.Credential;
+
+            Assert.NotNull(credential);
+            Assert.Equal("testUser", credential.Account);
+            Assert.Equal("testPassword", credential.Password);
+            Assert.False(result.AdditionalProperties.TryGetValue(Constants.CredentialProtocol.NtlmKey, out _));
+
+            wiaAuthMock.Verify(x => x.AskEnableNtlmAsync(It.IsAny<Uri>()), Times.Once);
+            basicAuthMock.Verify(x => x.GetCredentialsAsync(It.IsAny<string>(), It.IsAny<string>()), Times.Once);
+
+            Assert.False(context.Git.Configuration.Global.TryGetValue(configKey, out _));
+        }
+
         [Fact]
         public async Task GenericHostProvider_GenerateCredentialAsync_OAuth_CompleteOAuthConfig_UsesOAuth()
         {

src/shared/Core/Authentication/WindowsIntegratedAuthentication.cs

@@ -1,15 +1,27 @@
 using System;
 using System.Net.Http;
 using System.Net.Http.Headers;
+using System.Threading;
 using System.Threading.Tasks;
+using GitCredentialManager.UI;
+using GitCredentialManager.UI.ViewModels;
+using GitCredentialManager.UI.Views;
 
 namespace GitCredentialManager.Authentication
 {
     public interface IWindowsIntegratedAuthentication : IDisposable
     {
+        Task<NtlmSupport> AskEnableNtlmAsync(Uri uri);
         Task<WindowsAuthenticationTypes> GetAuthenticationTypesAsync(Uri uri);
     }
 
+    public enum NtlmSupport
+    {
+        Once,
+        Always,
+        Disabled,
+    }
+
     [Flags]
     public enum WindowsAuthenticationTypes
     {
@@ -31,6 +43,44 @@ public class WindowsIntegratedAuthentication : AuthenticationBase, IWindowsInteg
         public WindowsIntegratedAuthentication(ICommandContext context)
             : base(context) { }
 
+        public async Task<NtlmSupport> AskEnableNtlmAsync(Uri uri)
+        {
+            ThrowIfUserInteractionDisabled();
+
+            if (Context.SessionManager.IsDesktopSession && Context.Settings.IsGuiPromptsEnabled)
+            {
+                // Note: we do not support the UI helper for WIA so always show the in-proc GUI
+                var vm = new EnableNtlmViewModel(Context.SessionManager)
+                {
+                    Url = uri.ToString(),
+                };
+                await AvaloniaUi.ShowViewAsync<EnableNtlmView>(vm, GetParentWindowHandle(), CancellationToken.None);
+                ThrowIfWindowCancelled(vm);
+
+                return vm.SelectedOption;
+            }
+
+            ThrowIfTerminalPromptsDisabled();
+
+            var menu = new TerminalMenu(Context.Terminal, "Re-enable NTLM support in Git?");
+            TerminalMenuItem onceItem = menu.Add("Yes - just this time");
+            TerminalMenuItem alwaysItem = menu.Add($"Yes - always for {uri}");
+            TerminalMenuItem noItem = menu.Add("No - do not enable NTLM");
+            TerminalMenuItem choice = menu.Show(0);
+
+            if (choice == onceItem)
+            {
+                return NtlmSupport.Once;
+            }
+
+            if (choice == alwaysItem)
+            {
+                return NtlmSupport.Always;
+            }
+
+            return NtlmSupport.Disabled;
+        }
+
         public async Task<WindowsAuthenticationTypes> GetAuthenticationTypesAsync(Uri uri)
         {
             EnsureArgument.AbsoluteUri(uri, nameof(uri));

src/shared/Core/Constants.cs

@@ -31,6 +31,13 @@ public static class Constants
         /// </summary>
         public static readonly Guid MsaTransferTenantId = new("f8cdef31-a31e-4b4a-93e4-5f571e91255a");
 
+        public static class CredentialProtocol
+        {
+            public const string NtlmKey = "ntlm";
+            public const string NtlmSuppressed = "suppressed";
+            public const string NtlmAllow = "allow";
+        }
+
         public static class CredentialStoreNames
         {
             public const string WindowsCredentialManager = "wincredman";
@@ -191,6 +198,7 @@ public static class Http
                 public const string SslCaInfo = "sslCAInfo";
                 public const string SslAutoClientCert = "sslAutoClientCert";
                 public const string CookieFile = "cookieFile";
+                public const string AllowNtlmAuth = "allowNTLMAuth";
             }
 
             public static class Remote
@@ -232,6 +240,7 @@ public static class HelpUrls
             public const string GcmDefaultAccount      = "https://aka.ms/gcm/defaultaccount";
             public const string GcmMultipleUsers       = "https://aka.ms/gcm/multipleusers";
             public const string GcmUnsafeRemotes       = "https://aka.ms/gcm/unsaferemotes";
+            public const string GcmNtlm                = "https://aka.ms/gcm/ntlm";
         }
 
         private static Version _gcmVersion;

src/shared/Core/GenericHostProvider.cs

@@ -183,11 +183,49 @@ await GetOAuthAccessToken(uri, input.UserName, oauthConfig, _context.Trace2)
                     }
                     else
                     {
-                        _context.Trace.WriteLine("Host supports WIA - generating empty credential...");
+                        _context.Trace.WriteLine("Host supports WIA.");
+
+                        var additionalProps = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
+
+                        // Has Git suppressed its own built-in NTLM authentication support?
+                        if (input.TryGetArgument(Constants.CredentialProtocol.NtlmKey, out string ntlmArg) &&
+                            StringComparer.OrdinalIgnoreCase.Equals(Constants.CredentialProtocol.NtlmSuppressed, ntlmArg))
+                        {
+                            _context.Trace.WriteLine("NTLM support has been suppressed by Git - showing warning.");
+
+                            // Show a warning that NTLM authentication will not work without Git's built-in support
+                            // and ask the user what they want to do about it.
+                            NtlmSupport ntlmSupport = await _winAuth.AskEnableNtlmAsync(uri);
+                            switch (ntlmSupport)
+                            {
+                                case NtlmSupport.Once:
+                                    _context.Trace.WriteLine("Enabling NTLM support just once.");
+                                    additionalProps[Constants.CredentialProtocol.NtlmKey] =
+                                        Constants.CredentialProtocol.NtlmAllow;
+                                    break;
+
+                                case NtlmSupport.Always:
+                                    _context.Trace.WriteLine($"Enabling NTLM support for {uri}.");
+                                    additionalProps[Constants.CredentialProtocol.NtlmKey] =
+                                        Constants.CredentialProtocol.NtlmAllow;
+                                    EnableNtlmSupport(uri);
+                                    break;
+
+                                default:
+                                    _context.Trace.WriteLine("User declined to enable NTLM support. Showing basic auth prompt.");
+                                    return new GetCredentialResult(
+                                        await _basicAuth.GetCredentialsAsync(uri.AbsoluteUri, null)
+                                    );
+                            }
+                        }
 
                         // WIA is signaled to Git using an empty username/password
+                        _context.Trace.WriteLine("Returning empty username/password to trigger current user auth with WIA.");
                         ICredential creds = new GitCredential(string.Empty, string.Empty);
-                        return new GetCredentialResult(creds);
+                        return new GetCredentialResult(creds)
+                        {
+                            AdditionalProperties = additionalProps
+                        };
                     }
                 }
                 else
@@ -208,6 +246,21 @@ await _basicAuth.GetCredentialsAsync(uri.AbsoluteUri, input.UserName)
             );
         }
 
+        private void EnableNtlmSupport(Uri uri)
+        {
+            string url = uri.AbsoluteUri.TrimEnd('/');
+            IGitConfiguration config = _context.Git.GetConfiguration();
+            string key = $"{Constants.GitConfiguration.Http.SectionName}.{url}.{Constants.GitConfiguration.Http.AllowNtlmAuth}";
+
+            try
+            {
+                config.Set(GitConfigurationLevel.Global, key, "true");
+            }
+            catch (Exception ex)
+            {
+                _context.Trace.WriteLine($"Failed to set Git configuration to enable NTLM support for {uri}");
+                _context.Trace.WriteException(ex);
+            }
         }
 
         private async Task<ICredential> GetOAuthAccessToken(Uri remoteUri, string userName, GenericOAuthConfig config, ITrace2 trace2)

src/shared/Core/UI/ViewModels/EnableNtlmViewModel.cs

@@ -0,0 +1,68 @@
+using System.Windows.Input;
+using GitCredentialManager.Authentication;
+
+namespace GitCredentialManager.UI.ViewModels;
+
+public class EnableNtlmViewModel : WindowViewModel
+{
+    private readonly ISessionManager _sessionManager;
+
+    private string _url;
+    private ICommand _onceCommand;
+    private ICommand _alwaysCommand;
+    private ICommand _noCommand;
+    private ICommand _learnMoreCommand;
+
+    public EnableNtlmViewModel()
+    {
+        // For designer only
+    }
+    
+    public EnableNtlmViewModel(ISessionManager sessionManager) : this()
+    {
+        _sessionManager = sessionManager;
+
+        OnceCommand = new RelayCommand(() => SelectOption(NtlmSupport.Once));
+        AlwaysCommand = new RelayCommand(() => SelectOption(NtlmSupport.Always));
+        NoCommand = new RelayCommand(() => SelectOption(NtlmSupport.Disabled));
+        LearnMoreCommand = new RelayCommand(() => sessionManager.OpenBrowser(Constants.HelpUrls.GcmNtlm));
+    }
+
+    private void SelectOption(NtlmSupport option)
+    {
+        SelectedOption = option;
+        Accept();
+    }
+
+    public NtlmSupport SelectedOption { get; private set; }
+
+    public string Url
+    {
+        get => _url;
+        set => SetAndRaisePropertyChanged(ref _url, value);
+    }
+
+    public ICommand OnceCommand
+    {
+        get => _onceCommand;
+        set => SetAndRaisePropertyChanged(ref _onceCommand, value);
+    }
+
+    public ICommand AlwaysCommand
+    {
+        get => _alwaysCommand;
+        set => SetAndRaisePropertyChanged(ref _alwaysCommand, value);
+    }
+
+    public ICommand NoCommand
+    {
+        get => _noCommand;
+        set => SetAndRaisePropertyChanged(ref _noCommand, value);
+    }
+
+    public ICommand LearnMoreCommand
+    {
+        get => _learnMoreCommand;
+        set => SetAndRaisePropertyChanged(ref _learnMoreCommand, value);
+    }
+}