Contents
SSL Authentication
Description
This plugin allows authentication of users by making use of SSL client certificates.
Bugs/Feature Requests
Existing bugs and feature requests for SslAuthenticationPlugin are here.
If you have any issues, create a new ticket.
| defect |
1 / 1 |
|---|
Download
Download the zipped source from here.
Source
Check out using Subversion, or browse the source with Trac.
Example
For Trac 0.10 only, a patch is required to be applied against Trac in order to get this working. This patch is against 0.10.4-2, the -2 represents a Debian package revision:
-
trac/web/main.py
diff -Nur /usr/share/python-support/trac/trac/web/main.py /var/lib/python-support/python2.4/trac/web/main.py
old new 180 180 if not getattr(chosen_handler, 'anonymous_request', False): 181 181 try: 182 182 req.authname = self.authenticate(req) 183 req.perm = PermissionCache(self.env, req.authname) 183 try: 184 req.perm = PermissionCache(self.env, req.perm_user) 185 except AttributeError: 186 req.perm = PermissionCache(self.env, req.authname) 184 187 req.session = Session(self.env, req) 185 188 req.form_token = self._get_form_token(req) 186 189 except:
When this patch is applied, you can use a virtual host config section similar to this (assuming you're using Apache):
<VirtualHost *:443> ServerName trac.example.org Alias /chrome/common /usr/share/trac/htdocs SSLEngine on SSLCertificateFile /etc/apache2/ssl/trac.example.org_publickey.pem SSLCertificateKeyFile /etc/apache2/ssl/trac.example.org_privatekey.pem # I use CACert's root certificate, you can get it from here: http://www.cacert.org/index.php?id=3 SSLCACertificateFile /etc/apache2/ssl/CACert_class_1_and_3.pem SSLVerifyClient none SSLOptions -StrictRequire <Directory "/usr/share/trac/htdocs"> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory> <Location "/test"> SetHandler mod_python PythonHandler trac.web.modpython_frontend PythonOption TracEnv /var/trac/test PythonOption TracUriRoot /personal/ # Authentication # Require SSL connection to access this location SSLRequireSSL # Requires client verification, and verifies up to 2 intermediary CAs SSLVerifyClient optional SSLVerifyDepth 2 # Creates additional environment variables including client certificate data SSLOptions +StdEnvVars # Requires the above SSLRequireSSL directive to be succesfull as well as # the SSLRequire directive below, if it isn't succesfull Apache will # refuse access to this page. SSLOptions +StrictRequire # Requires, that the client's CN and e-mail in the certificates equals one of the below SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 </Location> # Lets still allow basic HTTP authentication <Location "/test/login"> AuthType Basic AuthName "Test Trac" AuthUserFile /etc/apache2/passwd/trac.example.org/test.passwd Require valid-user </Location> CustomLog /var/log/apache2/trac.example.org/access.log combined ErrorLog /var/log/apache2/trac.example.org/error.log </VirtualHost>
If the plugin is installed and enabled, and the patch is applied, you will be able to automatically log in with the email address in your browser's client certificate.
You can create yourself a client certificate at CACert.
Recent Changes
- 6136 by giel on 2009-07-01 09:51:58
-
Use exception handling instead of an 'if' check to check for perm_user (e-mail address from SSL certificate):
- This fixes a bug where non-SSL-cert authentication (but not anonymous) caused an exception (AttributeError) while trying to access req.perm_user while it didn't exist
- 6135 by giel on 2009-06-30 21:44:38
-
Implement a version of the plugin that works with Trac 0.11
- This version doesn't require patching of Trac's sources
- Works through changing code at runtime (replacing a single routine of Trac)
- This version doesn't require patching of Trac's sources
- 6134 by giel on 2009-06-30 21:41:10
-
Make the setup.py script executable
(more)
Author/Contributors
Author: giel
Maintainer: Giel van Schijndel
Contributors:
