[3512] in WWW Security List Archive
Re: REMOTE_USER
daemon@ATHENA.MIT.EDU (Brian W. Spolarich)
Mon Nov 11 14:35:44 1996
Date: Mon, 11 Nov 1996 11:33:37 -0500 (EST)
From: "Brian W. Spolarich" <briansp@ans.net>
To: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SOL.3.91.961111053353.3393B-100000@sol.star.bris.ac.uk>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 11 Nov 1996, Steff Watkins wrote:
| I have had this problem earlier with the NCSA webserver. However I found
| that, with the NCSA webserver, I could use the REMOTE_USER environment
| variable if I configured my webserver with the following parametr in
| httpd.conf:
|
| IdentityCheck On
|
| This causes the webserver to do an ident callback and to get the remote
| system's idea of which user is currently calling in.
I would not recommend trusting or using the information returned via
identd. The concept of a "username" only has meaning on multiuser
systems, and identd can return any information the system manager decides
to have it send. Also, many (most?) systems don't run identd.
REMOTE_USER is intended to contain the username as provided by the user
after successfully authenticating to the HTTP server via HTTP Basic
authentication against whatever local username/password table the HTTP
server maintains.
-brian
--
Brian W. Spolarich - ANS Systems Development - briansp@ans.net - 313-677-7311
The net has fall'n upon me! I shall perish...
