On 10/11/11 22:59, Richard Hipp wrote:
If you are using .htaccess style authentication for a Fossil instance on a
website, you have to check the "Allow REMOTE_USER authentication" box on the
/Admin/Access page to enable it. That's a little obscure. I wonder if we
should just make Fossil honor REMOTE_USER by default when it is running as
CGI. Are there any adverse security considerations here?
I would welcome the change.
For the administrators, one of those situations to watch out for is
translating a subject field to user REMOTE_USER (in the web server)
without client certificate chain verification. In practice, anyone who
is setting up an SSL enabled server should know about this issue.
Not a fossil issue; but a X509 + web server config issue.
--
Kind regards,
Jan Danielsson
_______________________________________________
fossil-users mailing list
[email protected]
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
