= SSL Authentication = == Description == This plugin allows authentication of users by making use of SSL client certificates. == Bugs/Feature Requests == Existing bugs and feature requests for SslAuthenticationPlugin are [query:?status=new&status=assigned&status=reopened&group=&component=SslAuthenticationPlugin&order=priority here]. If you have any issues, create a [/newticket?component=SslAuthenticationPlugin&owner=giel new ticket]. == Download and Source == Download the [download:sslauthenticationplugin zipped source], check out [/svn/sslauthenticationplugin using Subversion], or [source:sslauthenticationplugin browse the source] with Trac. == Example == Currently a small patch is required to be applied against Trac in order to get this working (this patch is against 10.4-2, the -2 represents a Debian package revision): {{{ #!diff diff -Nur /usr/share/python-support/trac/trac/web/main.py /var/lib/python-support/python2.4/trac/web/main.py --- /usr/share/python-support/trac/trac/web/main.py 2007-05-30 03:23:40.000000000 +0200 +++ /var/lib/python-support/python2.4/trac/web/main.py 2008-04-26 21:55:45.000000000 +0200 @@ -180,7 +180,13 @@ if not getattr(chosen_handler, 'anonymous_request', False): try: req.authname = self.authenticate(req) - req.perm = PermissionCache(self.env, req.authname) + try: + if req.perm_user: + req.perm = PermissionCache(self.env, req.perm_user) + else: + req.perm = PermissionCache(self.env, req.authname) + except: + req.perm = PermissionCache(self.env, req.authname) req.session = Session(self.env, req) req.form_token = self._get_form_token(req) except: }}} When this patch is applied you can use a virtual host config section similar to this (assuming you're using Apache): {{{ #!apache ServerName trac.example.org Alias /chrome/common /usr/share/trac/htdocs SSLEngine on SSLCertificateFile /etc/apache2/ssl/trac.example.org_publickey.pem SSLCertificateKeyFile /etc/apache2/ssl/trac.example.org_privatekey.pem # I use CACert's root certificate, you can get it from here: http://www.cacert.org/index.php?id=3 SSLCACertificateFile /etc/apache2/ssl/CACert_class_1_and_3.pem SSLVerifyClient none SSLOptions -StrictRequire Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all SetHandler mod_python PythonHandler trac.web.modpython_frontend PythonOption TracEnv /var/trac/test PythonOption TracUriRoot /personal/ # Authentication # Require SSL connection to access this location SSLRequireSSL # Requires client verification, and verifies up to 2 intermediary CAs SSLVerifyClient optional SSLVerifyDepth 2 # Creates additional environment variables including client certificate data SSLOptions +StdEnvVars # Requires the above SSLRequireSSL directive to be succesfull as well as # the SSLRequire directive below, if it isn't succesfull Apache will # refuse access to this page. SSLOptions +StrictRequire # Requires, that the client's CN and e-mail in the certificates equals one of the below SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 # Lets still allow basic HTTP authentication AuthType Basic AuthName "Test Trac" AuthUserFile /etc/apache2/passwd/trac.example.org/test.passwd Require valid-user CustomLog /var/log/apache2/trac.example.org/access.log combined ErrorLog /var/log/apache2/trac.example.org/error.log }}} If the plugin is installed and enabled, and the patch is applied, you will be able to automatically log in with the email address in your browser's client certificate. You can create yourself a client certificate at [http://cacert.org/ CACert]. == Recent Changes == [[ChangeLog(sslauthenticationplugin, 3)]] == Author/Contributors == '''Author:''' [wiki:giel] [[BR]] '''Contributors:'''