wiki:SslAuthenticationPlugin

SSL Authentication

Description

This plugin allows authentication of users by making use of SSL client certificates.

Bugs/Feature Requests

Existing bugs and feature requests for SslAuthenticationPlugin are here.

If you have any issues, create a new ticket.

Download and Source

Download the zipped source, check out using Subversion, or browse the source with Trac.

Example

For Trac 0.10 only(!), a small patch is currently required to be applied against Trac in order to get this working (this patch is against 0.10.4-2, the -2 represents a Debian package revision):

  • trac/web/main.py

    diff -Nur /usr/share/python-support/trac/trac/web/main.py /var/lib/python-support/python2.4/trac/web/main.py
    old new  
    180180            if not getattr(chosen_handler, 'anonymous_request', False): 
    181181                try: 
    182182                    req.authname = self.authenticate(req) 
    183                     req.perm = PermissionCache(self.env, req.authname) 
     183                    try: 
     184                        req.perm = PermissionCache(self.env, req.perm_user) 
     185                    except AttributeError: 
     186                        req.perm = PermissionCache(self.env, req.authname) 
    184187                    req.session = Session(self.env, req) 
    185188                    req.form_token = self._get_form_token(req) 
    186189                except: 

When this patch is applied you can use a virtual host config section similar to this (assuming you're using Apache):

<VirtualHost *:443>
    ServerName trac.example.org

    Alias /chrome/common /usr/share/trac/htdocs

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/trac.example.org_publickey.pem
    SSLCertificateKeyFile /etc/apache2/ssl/trac.example.org_privatekey.pem
    # I use CACert's root certificate, you can get it from here: http://www.cacert.org/index.php?id=3
    SSLCACertificateFile /etc/apache2/ssl/CACert_class_1_and_3.pem

    SSLVerifyClient none
    SSLOptions -StrictRequire

    <Directory "/usr/share/trac/htdocs">
        Options Indexes MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>

    <Location "/test">
        SetHandler mod_python
        PythonHandler trac.web.modpython_frontend
        PythonOption TracEnv /var/trac/test
        PythonOption TracUriRoot /personal/

        # Authentication
        # Require SSL connection to access this location
        SSLRequireSSL

        # Requires client verification, and verifies up to 2 intermediary CAs
        SSLVerifyClient optional
        SSLVerifyDepth 2

        # Creates additional environment variables including client certificate data
        SSLOptions +StdEnvVars
        # Requires the above SSLRequireSSL directive to be succesfull as well as
        # the SSLRequire directive below, if it isn't succesfull Apache will
        # refuse access to this page.
        SSLOptions +StrictRequire

        # Requires, that the client's CN and e-mail in the certificates equals one of the below
        SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
    </Location>

    # Lets still allow basic HTTP authentication
    <Location "/test/login">
        AuthType Basic
        AuthName "Test Trac"
        AuthUserFile /etc/apache2/passwd/trac.example.org/test.passwd
        Require valid-user
    </Location>

    CustomLog /var/log/apache2/trac.example.org/access.log combined
    ErrorLog /var/log/apache2/trac.example.org/error.log
</VirtualHost>

If the plugin is installed and enabled, and the patch is applied, you will be able to automatically log in with the email address in your browser's client certificate.

You can create yourself a client certificate at CACert.

Recent Changes

[6136] by giel on 2009-07-01 11:51:58

Use exception handling instead of an 'if' check to check for perm_user (e-mail address from SSL certificate):

  • This fixes a bug where non-SSL-cert authentication (but not anonymous) caused an exception (AttributeError) while trying to access req.perm_user while it didn't exist
[6135] by giel on 2009-06-30 23:44:38

Implement a version of the plugin that works with Trac 0.11

  • This version doesn't require patching of Trac's sources
    • Works through changing code at runtime (replacing a single routine of Trac)
[6134] by giel on 2009-06-30 23:41:10
Make the setup.py script executable

Author/Contributors

Author: giel
Maintainer: giel
Contributors:

Last modified 15 months ago Last modified on May 14, 2013 2:14:03 AM