On Sun, Sep 30, 2012 at 10:35:35PM +0800, 乙酸鋰 wrote: > I use smart-http on Apache. > If nothing to be pushed / pulled, I do not want password to be > supplied. And allow git ls-remote to run without password > > *.git/info/refs?service=git-upload-pack > *.git/info/refs?service=git-receive-pack > > I only need authentication on > > *.git/git-upload-pack > *.git/git-receive-pack > > /etc/apache/httpd.conf > > <LocationMatch "^/git/.*/git-(upload|receive)-pack$"> > AuthType Basic > AuthName "staff only" > AuthUserFile /etc/apache/apache.pwd > Require valid-user > </LocationMatch> > > However this does not work. It does not ask for password at all. What is "it" in the final sentence? Does the server not tell the git client that authorization is required, and actually serve the request? If so, then that is a bug in your apache config. Or is it that the server tells git that it needs authorization, but git does not prompt, and instead just fails with "Authentication failed". In that case, the issue is that you need a newer git client. Traditionally the client expected to handle authentication during the initial "info/refs" request. I added support for handling authentication during later requests in commit b81401c, which is in git v1.7.11.7 and v1.7.12.1. You should reconsider whether this is what you really want, though. With the configuration you showed, anyone will be able to get a list of all refs and their sha1s. So they would know all your branch names, and they could even potentially find out what's in your branches by making offline guesses and comparing them to your branch sha1s (the feasibility of this would depend on exactly what you're storing). -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html