We use Trac in an enterprisey environment at NASA HQ that uses RSA two-factor token authentication. We'd like Trac to be able to authenticate against it, over it's RADIUS protocol interface. RADIUS is frequently used by ISP and network access systems (e.g., WiFi? routers) so is likely to be available in larger shops.
I've tried mod_auth_radius in Apache, and that works, except that:
- Sessions never timeout despite the setting of the expiration value in mod_auth_radius, unless we protect the entire site so the RADIUS cookie is 'visible'
- we can't support sites with anonymous and authenticated users with session timeouts since auth protects only the /login URL which is never returned to once authenticated.
So I've written an addition to AccountManagerPlugin (trunk) which allows you to authenticate from within Trac to a RADIUS server. I'm still testing but it seems to work.
It relies on the 'pyrad' library which is available on PyPi?, so I've included that in the setup.py install_requires setting. I'm unaware of a less-intrusive way to do this.
Do you want this code, and if so, how should I integrate it with yours?
Right now I'm developing it on GitHub: