You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Graham Leggett <mi...@sharp.fm> on 2005/01/26 16:52:42 UTC
commit-email.pl and client certificates
Hi all,
I have just set up a v1.1.3 subversion server, protected via SSL + client
certs, and everything is working fine.
The commit-email.pl script however is listing the "Author" as blank in the
emails - how can I convince it to place the CN of the client certificate
into the author field?
Regards,
Graham
--
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: commit-email.pl and client certificates
Posted by Graham Leggett <mi...@sharp.fm>.
André Malo said:
> Nope. The idea behind this is to specify the particular client certs, that
> are authorized to acess. You can use group and user authorization for fine
> grained access control.
>
> Hmm. mod_authn_anon in 2.1 knows about a userid wildcard (*), perhaps this
> should be backported to 2.0.
I am using httpd v2.1 - I'll investigate mod_authn_anon.
Regards,
Graham
--
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: commit-email.pl and client certificates
Posted by André Malo <nd...@perlig.de>.
* "Graham Leggett" <mi...@sharp.fm> wrote:
> Ben Collins-Sussman said:
>
> > Why don't you show us what you're doing?
> >
> > The docs (http://httpd.apache.org/docs-2.0/mod/mod_ssl.html) say that
> >
> > SSLOptions +FakeBasicAuth
>
> The above is exactly what I am doing - adding the FakeBasicAuth option to
> SSLOptions.
>
> > Sounds like you'll need a password file.
>
> Hmmm - if this is a prerequisite then httpd is broken. Issuing client
> certs and then duplicating the work by listing the client certs in a
> passwd file is extra administration we would rather avoid.
Nope. The idea behind this is to specify the particular client certs, that
are authorized to acess. You can use group and user authorization for fine
grained access control.
Hmm. mod_authn_anon in 2.1 knows about a userid wildcard (*), perhaps this
should be backported to 2.0.
nd
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: commit-email.pl and client certificates
Posted by Graham Leggett <mi...@sharp.fm>.
Ben Collins-Sussman said:
> Why don't you show us what you're doing?
>
> The docs (http://httpd.apache.org/docs-2.0/mod/mod_ssl.html) say that
>
> SSLOptions +FakeBasicAuth
The above is exactly what I am doing - adding the FakeBasicAuth option to
SSLOptions.
> Sounds like you'll need a password file.
Hmmm - if this is a prerequisite then httpd is broken. Issuing client
certs and then duplicating the work by listing the client certs in a
passwd file is extra administration we would rather avoid.
I will follow this up on the httpd list, the auth split into authn and
authz should mean that client certs should be able to support authn
without the aid of another authn module.
Regards,
Graham
--
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: commit-email.pl and client certificates
Posted by Ben Collins-Sussman <su...@collab.net>.
On Jan 27, 2005, at 4:12 AM, Graham Leggett wrote:
> Travis P said:
>
>>> b) Try using the SSL "FakeBasicAuth" directive, which I believe
>>> copies the certificate CN into the basic-auth header of the http
>>> request.
>>
>> Ben said "or," but I think you probably want "and": "Require
>> valid-user", so the challenge is always made and "FakeBasicAuth" so
>> that the basic-auth header is filled in with the full CN.
>
> Do you have an example of where this is used in practice? The httpd
> docs
> only say that the FakeBasicAuth option exists, but it makes no mention
> of
> how to use it. Simply adding the option does nothing - the author stays
> blank in the commit email - and adding require valid-user suddenly
> draws
> in the need for a separate password file (which is redundant, that's
> what
> certs and crls are for).
>
> Any ideas?
>
Why don't you show us what you're doing?
The docs (http://httpd.apache.org/docs-2.0/mod/mod_ssl.html) say that
SSLOptions +FakeBasicAuth
..." When this option is enabled, the Subject Distinguished Name (DN)
of the Client X509 Certificate is translated into a HTTP Basic
Authorization username. This means that the standard Apache
authentication methods can be used for access control. The user name
is just the Subject of the Client's X509 Certificate (can be
determined by running OpenSSL's openssl x509 command: openssl x509
-noout -subject -in certificate.crt). Note that no password is
obtained from the user. Every entry in the user file needs this
password: ``xxj31ZMTZzkVA'', which is the DES-encrypted version of the
word `password''. Those who live under MD5-based encryption (for
instance under FreeBSD or BSD/OS, etc.) should use the following MD5
hash of the same word: ``$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/''".
Sounds like you'll need a password file.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: commit-email.pl and client certificates
Posted by Graham Leggett <mi...@sharp.fm>.
Travis P said:
>> b) Try using the SSL "FakeBasicAuth" directive, which I believe
>> copies the certificate CN into the basic-auth header of the http
>> request.
>
> Ben said "or," but I think you probably want "and": "Require
> valid-user", so the challenge is always made and "FakeBasicAuth" so
> that the basic-auth header is filled in with the full CN.
Do you have an example of where this is used in practice? The httpd docs
only say that the FakeBasicAuth option exists, but it makes no mention of
how to use it. Simply adding the option does nothing - the author stays
blank in the commit email - and adding require valid-user suddenly draws
in the need for a separate password file (which is redundant, that's what
certs and crls are for).
Any ideas?
Regards,
Graham
--
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: commit-email.pl and client certificates
Posted by Travis P <sv...@castle.fastmail.fm>.
On Jan 26, 2005, at 1:10 PM, Ben Collins-Sussman wrote:
> My guess is that you either want to
>
> a) 'Require valid-user', so that the users not only need a
> certificate, but need to login to apache with a password as well,
> using a typical htpasswd user db.
>
> or
>
> b) Try using the SSL "FakeBasicAuth" directive, which I believe
> copies the certificate CN into the basic-auth header of the http
> request.
Ben said "or," but I think you probably want "and": "Require
valid-user", so the challenge is always made and "FakeBasicAuth" so
that the basic-auth header is filled in with the full CN.
-Travis
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: commit-email.pl and client certificates
Posted by Ben Collins-Sussman <su...@collab.net>.
On Jan 26, 2005, at 1:03 PM, Graham Leggett wrote:
> Ben Collins-Sussman wrote:
>
>>> The commit-email.pl script however is listing the "Author" as blank
>>> in the
>>> emails - how can I convince it to place the CN of the client
>>> certificate
>>> into the author field?
>
>> It's not commit-email.pl's fault. Run 'svn log'. Notice that
>> there's no author at all for the revisions! Am I right?
>
> I couldn't tell you - I have no acesss to the SVN machine till
> tomorrow morning.
>
> What would cause there to be no author at all for the revisions?
>
If you've not configured apache to demand a 'valid user', then there's
no username associated with the commit.
Certificates are used to authenticate the link itself; but that does
mean the http request itself has a Basic Auth: header attached. My
guess is that you either want to
a) 'Require valid-user', so that the users not only need a
certificate, but need to login to apache with a password as well, using
a typical htpasswd user db.
or
b) Try using the SSL "FakeBasicAuth" directive, which I believe
copies the certificate CN into the basic-auth header of the http
request.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: commit-email.pl and client certificates
Posted by Graham Leggett <mi...@sharp.fm>.
Ben Collins-Sussman wrote:
>> The commit-email.pl script however is listing the "Author" as blank in
>> the
>> emails - how can I convince it to place the CN of the client certificate
>> into the author field?
> It's not commit-email.pl's fault. Run 'svn log'. Notice that there's
> no author at all for the revisions! Am I right?
I couldn't tell you - I have no acesss to the SVN machine till tomorrow
morning.
What would cause there to be no author at all for the revisions?
Regards,
Graham
--
Re: commit-email.pl and client certificates
Posted by Ben Collins-Sussman <su...@collab.net>.
On Jan 26, 2005, at 10:52 AM, Graham Leggett wrote:
> Hi all,
>
> I have just set up a v1.1.3 subversion server, protected via SSL +
> client
> certs, and everything is working fine.
>
> The commit-email.pl script however is listing the "Author" as blank in
> the
> emails - how can I convince it to place the CN of the client
> certificate
> into the author field?
>
It's not commit-email.pl's fault. Run 'svn log'. Notice that there's
no author at all for the revisions! Am I right?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org