wiki:SslAuthenticationPlugin

Version 1 (modified by giel, 7 years ago) (diff)

New hack SslAuthenticationPlugin, created by giel

SSL Authentication

Description

This plugin allows authentication of users by making use of SSL client certificates.

Bugs/Feature Requests

Existing bugs and feature requests for SslAuthenticationPlugin are here.

If you have any issues, create a new ticket.

Download

Download the zipped source from here.

Source

You can check out SslAuthenticationPlugin from here using Subversion, or browse the source with Trac.

Example

Currently a small patch is required to be applied against Trac in order to get this working (this patch is against 10.4-2, the -2 represents a Debian package revision):

  • trac/web/main.py

    diff -Nur /usr/share/python-support/trac/trac/web/main.py /var/lib/python-support/python2.4/trac/web/main.py
    old new  
    180180            if not getattr(chosen_handler, 'anonymous_request', False):
    181181                try:
    182182                    req.authname = self.authenticate(req)
    183                     req.perm = PermissionCache(self.env, req.authname)
     183                    try:
     184                        if req.perm_user:
     185                            req.perm = PermissionCache(self.env, req.perm_user)
     186                        else:
     187                            req.perm = PermissionCache(self.env, req.authname)
     188                    except:
     189                        req.perm = PermissionCache(self.env, req.authname)
    184190                    req.session = Session(self.env, req)
    185191                    req.form_token = self._get_form_token(req)
    186192                except:

When this patch is applied you can use a virtual host config section similar to this (assuming you're using Apache):

<VirtualHost *:443>
    ServerName trac.example.org

    Alias /chrome/common /usr/share/trac/htdocs

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/trac.example.org_publickey.pem
    SSLCertificateKeyFile /etc/apache2/ssl/trac.example.org_privatekey.pem
    # I use CACert's root certificate, you can get it from here: http://www.cacert.org/index.php?id=3
    SSLCACertificateFile /etc/apache2/ssl/CACert_class_1_and_3.pem

    SSLVerifyClient none
    SSLOptions -StrictRequire

    <Directory "/usr/share/trac/htdocs">
        Options Indexes MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>

    <Location "/test">
        SetHandler mod_python
        PythonHandler trac.web.modpython_frontend
        PythonOption TracEnv /var/trac/test
        PythonOption TracUriRoot /personal/

        # Authentication
        # Require SSL connection to access this location
        SSLRequireSSL

        # Requires client verification, and verifies up to 2 intermediary CAs
        SSLVerifyClient optional
        SSLVerifyDepth 2

        # Creates additional environment variables including client certificate data
        SSLOptions +StdEnvVars
        # Requires the above SSLRequireSSL directive to be succesfull as well as
        # the SSLRequire directive below, if it isn't succesfull Apache will
        # refuse access to this page.
        SSLOptions +StrictRequire

        # Requires, that the client's CN and e-mail in the certificates equals one of the below
        SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
    </Location>

    # Lets still allow basic HTTP authentication
    <Location "/test/login">
        AuthType Basic
        AuthName "Test Trac"
        AuthUserFile /etc/apache2/passwd/trac.example.org/test.passwd
        Require valid-user
    </Location>

    CustomLog /var/log/apache2/trac.example.org/access.log combined
    ErrorLog /var/log/apache2/trac.example.org/error.log
</VirtualHost>

If the plugin is installed and enabled, and the patch is applied, you will be able to automatically log in with the email address in your browser's client certificate.

You can create yourself a client certificate at CACert.

Recent Changes

[6136] by giel on 2009-07-01 11:51:58

Use exception handling instead of an 'if' check to check for perm_user (e-mail address from SSL certificate):

  • This fixes a bug where non-SSL-cert authentication (but not anonymous) caused an exception (AttributeError) while trying to access req.perm_user while it didn't exist
[6135] by giel on 2009-06-30 23:44:38

Implement a version of the plugin that works with Trac 0.11

  • This version doesn't require patching of Trac's sources
    • Works through changing code at runtime (replacing a single routine of Trac)
[6134] by giel on 2009-06-30 23:41:10
Make the setup.py script executable

Author/Contributors

Author: giel
Contributors: