diff --git libpkg/fetch_libcurl.c libpkg/fetch_libcurl.c
index 87f96f08..cefe3b11 100644
--- libpkg/fetch_libcurl.c
+++ libpkg/fetch_libcurl.c
@@ -349,6 +349,7 @@ curl_fetch(struct pkg_repo *repo, int dest, struct fetch_item *fi)
 	struct http_mirror *http_current = NULL;
 	char *urlpath = NULL;
 	const char *relpath = NULL;
+	const char *userpasswd = getenv("HTTP_AUTH");
 
 	struct curl_repodata *cr = (struct curl_repodata *)repo->fetch_priv;
 
@@ -425,6 +426,11 @@ retry:
 		pkg_debug(1, "CURL> attempting to fetch from %s, left retry %ld\n",
 				lurl, retry);
 	}
+	if (userpasswd != NULL) {
+		curl_easy_setopt(cl, CURLOPT_HTTPAUTH, (long)CURLAUTH_ANY);
+		curl_easy_setopt(cl, CURLOPT_USERPWD, userpasswd);
+	}
+
 	if (repo->ip == IPV4)
 		curl_easy_setopt(cl, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
 	if (repo->ip == IPV6)
diff --git libpkg/private/utils.h libpkg/private/utils.h
index fc55ef24..5b28bab1 100644
--- libpkg/private/utils.h
+++ libpkg/private/utils.h
@@ -127,5 +127,6 @@ void hidden_tempfile(char *buf, int buflen, const char *path);
 void append_random_suffix(char *buf, int buflen, int suffixlen);
 char *json_escape(const char *str);
 struct tempdir *open_tempdir(int rootfd, const char *path);
+const char *get_http_auth(void);
 
 #endif
diff --git libpkg/utils.c libpkg/utils.c
index ecbdefae..0fbf9ed1 100644
--- libpkg/utils.c
+++ libpkg/utils.c
@@ -1003,7 +1003,6 @@ json_escape(const char *str)
 	return (xstring_get(buf));
 }
 
-
 struct tempdir *
 open_tempdir(int rootfd, const char *path)
 {
@@ -1050,3 +1049,25 @@ open_tempdir(int rootfd, const char *path)
 	errno = 0;
 	return (NULL);
 }
+
+const char *
+get_http_auth(void)
+{
+	const char *str = getenv("HTTP_AUTH");
+	if (str == NULL)
+		return (false);
+	if ((str = strchr(str, ':')) == NULL) {
+		pkg_emit_error("malformed HTTP_AUTH");
+		return (NULL);
+	}
+	if ((str = strchr(++str, ':')) == NULL) {
+		pkg_emit_error("malformed HTTP_AUTH");
+		return (NULL);
+	}
+	if (strchr(++str, ':') == NULL) {
+		pkg_emit_error("malformed HTTP_AUTH");
+		return (NULL);
+	}
+	return (str);
+}
+
diff --git tests/lib/utils.c tests/lib/utils.c
index 2ff27b90..f73a4d59 100644
--- tests/lib/utils.c
+++ tests/lib/utils.c
@@ -24,6 +24,7 @@
  */
 
 #include <atf-c.h>
+#include <atf-c/macros.h>
 #include <err.h>
 #include <fcntl.h>
 #include <private/utils.h>
@@ -32,6 +33,7 @@ ATF_TC_WITHOUT_HEAD(hidden_tempfile);
 ATF_TC_WITHOUT_HEAD(random_suffix);
 ATF_TC_WITHOUT_HEAD(json_escape);
 ATF_TC_WITHOUT_HEAD(open_tempdir);
+ATF_TC_WITHOUT_HEAD(get_http_auth);
 
 ATF_TC_BODY(hidden_tempfile, tc) {
 	const char *filename = "plop";
@@ -105,12 +107,29 @@ ATF_TC_BODY(open_tempdir, tc) {
 	free(t);
 }
 
+ATF_TC_BODY(get_http_auth, tc) {
+	unsetenv("HTTP_AUTH");
+	ATF_REQUIRE(get_http_auth() == NULL);
+	setenv("HTTP_AUTH", "plop", 1);
+	ATF_REQUIRE(get_http_auth() == NULL);
+
+	setenv("HTTP_AUTH", "basic:any", 1);
+	ATF_REQUIRE(get_http_auth() == NULL);
+
+	setenv("HTTP_AUTH", "basic:any:user", 1);
+	ATF_REQUIRE(get_http_auth() == NULL);
+
+	setenv("HTTP_AUTH", "basic:any:user:passwd", 1);
+	ATF_REQUIRE_STREQ(get_http_auth(), "user:passwd");
+}
+
 ATF_TP_ADD_TCS(tp)
 {
 	ATF_TP_ADD_TC(tp, hidden_tempfile);
 	ATF_TP_ADD_TC(tp, random_suffix);
 	ATF_TP_ADD_TC(tp, json_escape);
 	ATF_TP_ADD_TC(tp, open_tempdir);
+	ATF_TP_ADD_TC(tp, get_http_auth);
 
 	return (atf_no_error());
 }