From: Iain Paton <ipaton0@gmail.com>
To: Jeff King <peff@peff.net>
Cc: git@vger.kernel.org
Subject: Re: git no longer prompting for password
Date: Sun, 26 Aug 2012 10:57:59 +0100 [thread overview]
Message-ID: <5039F327.9010003@gmail.com> (raw)
In-Reply-To: <20120825203904.GA10470@sigill.intra.peff.net>
On 25/08/12 21:39, Jeff King wrote:
> I think your regex is the culprit. The first request comes in with:
>
>>> GET /git/test.git/info/refs?service=git-receive-pack HTTP/1.1
>
> The odd URL is because we are probing to see if the server even supports
> smart-http. But note that it does not match your regex above, which
> requires "/git-receive-pack". It looks like that is pulled straight from
> the git-http-backend manpage. I think the change in v1.7.8 broke people
> using that configuration.
Yes, it was lifted straight out of the manpage, albeit a couple of years
ago now and there have been additions to the manpage since then.
I did check, and the basic config is identical in the current manpage.
I can't be the only one using a config that's based on the example in
the manpage surely ? So I'm surprised this hasn't come up previously.
> I tend to think the right thing is to fix the configuration (both on
> your system and in the documentation), but we should probably also fix
> git to handle this situation more gracefully, since it used to work and
> has been advertised in the documentation for a long time.
So after some head scratching trying to work out how to do the equivalent of
LocationMatch but on the query string I came up with the following:
ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
<Directory /usr/libexec/git-core>
Require ip 10.44.0.0/16
<If "%{THE_REQUEST} =~ /git-receive-pack/">
AuthType Basic
AuthUserFile /data/git/htpasswd
AuthGroupfile /data/git/groups
AuthName "Git Access"
Require group committers
</If>
</Directory>
and I've removed the LocationMatch section completely.
So for accesses to git-http-backend I require auth if anything in the request
includes git-receive-pack and that causes a prompt for the username/password
as required, while at the same time it still allows anonymous pull.
It appears that the clone operation uses
GET /git/test.git/info/refs?service=git-upload-pack HTTP/1.1
to probe for smart-http ? So this would be ok ?
I'm not sure this is ideal, I don't really know enough about the protocol to know
if I'll see git-receive-pack elsewhere. Possibly if someone includes it in the
name of a repo it'll blow up in my face.
I can always change it to match only on QUERY_STRING and put the LocationMatch
back in if that happens.
If that's all that's required, I'm fine with an easy change to httpd.conf
Thanks for the help Jeff.
next prev parent reply other threads:[~2012-08-26 10:04 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-24 20:19 git no longer prompting for password Iain Paton
2012-08-24 21:25 ` Jeff King
[not found] ` <5038E781.1090008@gmail.com>
2012-08-25 20:39 ` Jeff King
2012-08-26 9:57 ` Iain Paton [this message]
2012-08-26 10:13 ` Jeff King
2012-08-26 14:18 ` Iain Paton
2012-08-27 13:21 ` [PATCH 0/8] fix password prompting for "half-auth" servers Jeff King
2012-08-27 13:23 ` [PATCH 1/8] t5550: put auth-required repo in auth/dumb Jeff King
2012-08-27 13:24 ` [PATCH 2/8] t5550: factor out http auth setup Jeff King
2012-08-27 13:24 ` [PATCH 3/8] t/lib-httpd: only route auth/dumb to dumb repos Jeff King
2012-08-27 13:25 ` [PATCH 4/8] t/lib-httpd: recognize */smart/* repos as smart-http Jeff King
2012-08-27 13:25 ` [PATCH 5/8] t: test basic smart-http authentication Jeff King
2012-08-27 13:25 ` [PATCH 6/8] t: test http access to "half-auth" repositories Jeff King
2012-08-27 13:26 ` [PATCH 7/8] http: factor out http error code handling Jeff King
2012-08-28 18:06 ` Junio C Hamano
2012-08-27 13:27 ` [PATCH 8/8] http: prompt for credentials on failed POST Jeff King
2012-08-27 17:48 ` Junio C Hamano
2012-08-27 21:49 ` Jeff King
2012-08-27 23:29 ` Junio C Hamano
2012-08-27 17:14 ` [PATCH 0/8] fix password prompting for "half-auth" servers Junio C Hamano
2012-08-27 8:28 ` git no longer prompting for password Iain Paton
2012-08-27 13:33 ` BJ Hargrave
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5039F327.9010003@gmail.com \
--to=ipaton0@gmail.com \
--cc=git@vger.kernel.org \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).