[3522] in WWW Security List Archive
Re: Warning Re: REMOTE_USER
daemon@ATHENA.MIT.EDU (mark.e.von.weihe)
Wed Nov 13 07:54:11 1996
To: www-security <www-security@ns2.rutgers.edu>
From: "mark.e.von.weihe" <mark.e.von.weihe@ac.com>
Date: 13 Nov 96 4:11:23
Errors-To: owner-www-security@ns2.rutgers.edu
I'm not well versed on the NCSA server, but I have a similar configuration on a
Netscape Enterprise server. It does basic authentication, and a CGI picks up
the REMOTE_USER variable from the environment and uses it later. This has been
working well with the test clients I've connected. Perhaps the NS
configuration is quite different and doesn't need the host daemen you refered
to? Am I risking performance and broken connections with this configuration?
Any insights would be appreciated.
_______________________________________________________________________________________________________________________________________________________________________________________________________________
To: steff.watkins @ bristol.ac.uk (steff watkins) @ internet
cc: www-security @ ns2.rutgers.edu @ internet (bcc: Mark E. Von Weihe)
From: dwm @ xpasc.com ("David W. Morris") @ internet
Date: 11/12/96 04:03 AM
Subject: Warning Re: REMOTE_USER
___________________________________________________________________________________________________________________________________________________________________________________________________________________
On Mon, 11 Nov 1996, Steff Watkins wrote:
> On Fri, 8 Nov 1996, Andrea Di Fabio wrote:
>
> > Has anyone successfully got this ENV variable to return something ??
> > If so, let me know how.
> >
> > I have also tried to runas the apache 1.1.1 server from inetd,
> > and got the username to appear in the tcpwrappers ... but I did
> > not have any luck with SSI or CGI $ENV{'REMOTE_USER'}
>
> Hello Andrea,
>
> I have had this problem earlier with the NCSA webserver. However I found
> that, with the NCSA webserver, I could use the REMOTE_USER environment
> variable if I configured my webserver with the following parametr in
> httpd.conf:
>
> IdentityCheck On
This is a very bad idea in general. First it is at best a performance
problem. But worse, many hosts do not run the daemon required to
respond to the request that results from this configuration option.
This often results in a (ICMP) response which some TCP/IP implementations
use to reset ALL connections to/from the host which requested
the unsupported service. So your webserver can end up with many
unexpected broken connections.
Dave Morris
