You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by "Martin v. Löwis" <ma...@v.loewis.de> on 2003/05/14 20:28:56 UTC

Logging SSL-authenticated users

When I authenticate to subversion using SSL client certificates, svn
log will report 'anonymous'.

Is there anything that can be done about this? I would prefer if
SSL_CLIENT_S_DN_CN would get logged.

Regards,
Martin


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Logging SSL-authenticated users

Posted by "Martin v. Löwis" <ma...@v.loewis.de>.

Sander Striker wrote:

> Well, strictly speaking, for Apache, the user hasn't been authenticated
> yet (which is why r->user isn't set).  Only mod_authn_xxx sets r->user.

That strict interpretation is not practical, IMO. mod_ssl has 
authenticated the user, it can't get any better than that.
mod_ssl *does* perform authentication; this is one of its primary
purposes. It is irrelevant that it does not have the substring "authn" 
in its module name.

That is, of course, from an end-user perspective. If Apache
architects think it should work differently, I can adjust as long as
it can be made to work the way I want.

>>I think you are taking a too easy position here. It is probably the case 
>>that a better service could be established by changing Apache, so it is 
>>not necessarily the case that Subversion needs to change. However, I am 
>>now convinced that the behaviour I consider desirable cannot be achieved 
>>with the current Apache+Subversion code base,
> 
> 
> Yes it can.  You are just not willing to maintain a fake user file ;).

No. What I *really* want is to only get the CN in the SVN log. I don't
think I could achieve that, even if the fake user file would work as
designed.

> Things could be made easier, but on the Apache side, not the Subversion side.
> IMHO that is.

Hmm. Notice that, in general, there may be little interest on the Apache
side to change things. For Apache and its standard modules, all works 
fine: You can authenticate and authorize in all possible ways, and in 
cases where the resource contents depends on user identification (i.e. 
in CGI cases), you can also properly identify the SSL-authenticated 
users, using the various mod_ssl environment variables.

So it is really just subversion that needs extended services, and it 
appears that these services could be implemented in subversion itself.

Regards,
Martin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

RE: Logging SSL-authenticated users

Posted by Sander Striker <st...@apache.org>.

> From: Martin v. Lowis [mailto:martin@v.loewis.de]
> Sent: Thursday, May 15, 2003 10:09 AM

> Sander Striker wrote:
> 
> > Okay, just for the record, this thread is all about Apache configuration
> > and has nothing to do with Subversion.  Ask yourself if the same would
> > apply if you want to [fill in thing you want] on a regular directory.
> 
> That is not the case. I believe Apache provides sufficient information,
> and Subversion fails to use it properly.
> 
> The same does *not* apply to a regular directory. In a regular 
> directory, the remote user is irrelevant once authorized, since all the 
> server does it to return the resource.

Well, strictly speaking, for Apache, the user hasn't been authenticated
yet (which is why r->user isn't set).  Only mod_authn_xxx sets r->user.
So, the way to go here is either create mod_authn_ssl, or add an option
to mod_ssl to tell it that the client cert is the authentication and
therefor it should set r->user.  I'd rather go for the first.

> Asking whether the same would apply to CGI, I find that this is more 
> similar: In a CGI script, I want to find out who the authenticated user 
> was, and want to make use of this. Apache and mod_ssl give me the power 
> to do so, by querying the SSL_CLIENT_S_DN_CN environment variable.

> I'm asking that mod_dav_svn retrieves the SSL subject if available and 
> uses that if no user has been set.

-1.  mod_dav_svn shouldn't make that assumption IMO.
 
>> Nevertheless, we probably should mention something about this specific
>> question in the book...
> 
> I think you are taking a too easy position here. It is probably the case 
> that a better service could be established by changing Apache, so it is 
> not necessarily the case that Subversion needs to change. However, I am 
> now convinced that the behaviour I consider desirable cannot be achieved 
> with the current Apache+Subversion code base,

Yes it can.  You are just not willing to maintain a fake user file ;).

> and could be achieved by changing subversion.
> 
> I'm not asking for help in properly configuring Subversion: I can indeed 
> read documentation myself, and I can also read source code if 
> documentation is inconclusive. I'm asking for changes to Subversion.

Things could be made easier, but on the Apache side, not the Subversion side.
IMHO that is.


Sander

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Logging SSL-authenticated users

Posted by "Martin v. Löwis" <ma...@v.loewis.de>.

Sander Striker wrote:

> Okay, just for the record, this thread is all about Apache configuration
> and has nothing to do with Subversion.  Ask yourself if the same would
> apply if you want to [fill in thing you want] on a regular directory.

That is not the case. I believe Apache provides sufficient information,
and Subversion fails to use it properly.

The same does *not* apply to a regular directory. In a regular 
directory, the remote user is irrelevant once authorized, since all the 
server does it to return the resource.

Asking whether the same would apply to CGI, I find that this is more 
similar: In a CGI script, I want to find out who the authenticated user 
was, and want to make use of this. Apache and mod_ssl give me the power 
to do so, by querying the SSL_CLIENT_S_DN_CN environment variable.

I'm asking that mod_dav_svn retrieves the SSL subject if available and 
uses that if no user has been set.

> Nevertheless, we probably should mention something about this specific
> question in the book...

I think you are taking a too easy position here. It is probably the case 
that a better service could be established by changing Apache, so it is 
not necessarily the case that Subversion needs to change. However, I am 
now convinced that the behaviour I consider desirable cannot be achieved 
with the current Apache+Subversion code base, and could be achieved by 
changing subversion.

I'm not asking for help in properly configuring Subversion: I can indeed 
read documentation myself, and I can also read source code if 
documentation is inconclusive. I'm asking for changes to Subversion.

Regards,
Martin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

RE: Logging SSL-authenticated users

Posted by Sander Striker <st...@apache.org>.

> From: martin@v.loewis.de [mailto:martin@v.loewis.de]
> Sent: Thursday, May 15, 2003 9:20 AM

> Ben Collins-Sussman <su...@collab.net> writes:
> 
>> Well, try requiring basic http auth then.  The name/password will go
>> over the encrypted SSL link.  No need for a user-file, I suspect.

Okay, just for the record, this thread is all about Apache configuration
and has nothing to do with Subversion.  Ask yourself if the same would
apply if you want to [fill in thing you want] on a regular directory.

The apache documentation should be more than enough to figure this
stuff out:

  http://httpd.apache.org/docs-2.0/

And if not, there are lots of HOWTOs floating about.

If it still isn't apparent how you need to solve your problem you should
be able to find an appropiate list after reading this section:

   http://httpd.apache.org/lists.html#http-users

Then there is also the #apache channel on irc.freenode.org.

Nevertheless, we probably should mention something about this specific
question in the book...

Sander

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Logging SSL-authenticated users

Posted by "Martin v. Löwis" <ma...@v.loewis.de>.

Ben Collins-Sussman <su...@collab.net> writes:

> Well, try requiring basic http auth then.  The name/password will go
> over the encrypted SSL link.  No need for a user-file, I suspect.

If I do

<Location /playground>
  SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
  DAV svn
  SVNPath /export/svn/playground
  SVNAutoversioning on
  AuthType Basic
  AuthName "playground subversion"
  require valid-user
</Location>

svn asks me for a user/password combination, and then gives

svn: OPTIONS request failed on '/playground/trunk'
svn: OPTIONS of '/playground/trunk': 500 Internal Server Error

and the following line is logged

[Thu May 15 09:05:14 2003] [crit] [client 141.89.224.131] configuration error:  couldn't check user.  No user file?: /playground/trunk

If I add

  SSLOptions +FakeBasicAuth

svn stops asking for user/password, but still gives the same error

If I add a fake user file (which I really don't want to do), listing
my DN, I get from the SVN client

Transmitting file data .svn: RA layer request failed
svn: Commit failed (details follow):
svn: MERGE request failed on '/playground/trunk'
svn: MERGE of '/playground/trunk': 403 Forbidden

On the server side, the following actions are logged

xxx.xx.xxx.xxx - /C=DE/L=Potsdam/O=Hasso-Plattner-Institut/OU=OSM/CN=Martin von Loewis/emailAddress=Martin.vonLoewis@hpi.uni-potsdam.de [15/May/2003:09:16:50 +0200] "OPTIONS /playground/trunk HTTP/1.1" 200 190
xxx.xx.xxx.xxx - /C=DE/L=Potsdam/O=Hasso-Plattner-Institut/OU=OSM/CN=Martin von Loewis/emailAddress=Martin.vonLoewis@hpi.uni-potsdam.de [15/May/2003:09:16:50 +0200] "MKACTIVITY /playground/!svn/act/4af442b6-aebd-0310-8621-eeb8e8721fd5 HTTP/1.1" 201 346
xxx.xx.xxx.xxx - /C=DE/L=Potsdam/O=Hasso-Plattner-Institut/OU=OSM/CN=Martin von Loewis/emailAddress=Martin.vonLoewis@hpi.uni-potsdam.de [15/May/2003:09:16:51 +0200] "PROPFIND /playground/trunk HTTP/1.1" 207 425
xxx.xx.xxx.xxx - /C=DE/L=Potsdam/O=Hasso-Plattner-Institut/OU=OSM/CN=Martin von Loewis/emailAddress=Martin.vonLoewis@hpi.uni-potsdam.de [15/May/2003:09:16:51 +0200] "PROPFIND /playground/!svn/vcc/default HTTP/1.1" 207 386
xxx.xx.xxx.xxx - /C=DE/L=Potsdam/O=Hasso-Plattner-Institut/OU=OSM/CN=Martin von Loewis/emailAddress=Martin.vonLoewis@hpi.uni-potsdam.de [15/May/2003:09:16:51 +0200] "CHECKOUT /playground/!svn/bln/15 HTTP/1.1" 201 361
xxx.xx.xxx.xxx - /C=DE/L=Potsdam/O=Hasso-Plattner-Institut/OU=OSM/CN=Martin von Loewis/emailAddress=Martin.vonLoewis@hpi.uni-potsdam.de [15/May/2003:09:16:51 +0200] "PROPPATCH /playground/!svn/wbl/4af442b6-aebd-0310-8621-eeb8e8721fd5/15 HTTP/1.1" 207 356
xxx.xx.xxx.xxx - /C=DE/L=Potsdam/O=Hasso-Plattner-Institut/OU=OSM/CN=Martin von Loewis/emailAddress=Martin.vonLoewis@hpi.uni-potsdam.de [15/May/2003:09:16:52 +0200] "PROPFIND /playground/trunk HTTP/1.1" 207 382
xxx.xx.xxx.xxx - /C=DE/L=Potsdam/O=Hasso-Plattner-Institut/OU=OSM/CN=Martin von Loewis/emailAddress=Martin.vonLoewis@hpi.uni-potsdam.de [15/May/2003:09:16:52 +0200] "CHECKOUT /playground/!svn/ver/15/trunk/test.txt HTTP/1.1" 201 373
xxx.xx.xxx.xxx - /C=DE/L=Potsdam/O=Hasso-Plattner-Institut/OU=OSM/CN=Martin von Loewis/emailAddress=Martin.vonLoewis@hpi.uni-potsdam.de [15/May/2003:09:16:52 +0200] "PUT /playground/!svn/wrk/4af442b6-aebd-0310-8621-eeb8e8721fd5/trunk/test.txt HTTP/1.1" 204 0
xxx.xx.xxx.xxx - /C=DE/L=Potsdam/O=Hasso-Plattner-Institut/OU=OSM/CN=Martin von Loewis/emailAddress=Martin.vonLoewis@hpi.uni-potsdam.de [15/May/2003:09:16:53 +0200] "MERGE /playground/trunk HTTP/1.1" 403 296

What gives?

Martin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Logging SSL-authenticated users

Posted by Ben Collins-Sussman <su...@collab.net>.

martin@v.loewis.de (Martin v. Löwis) writes:

> Ben Collins-Sussman <su...@collab.net> writes:
> 
> > I wonder why the username field in the apache request_rec structure
> > isn't being filled in.  Maybe the server just need to "require
> > valid-user"?
> 
> The user name (r->user) is not set because mod_ssl simply never sets
> it. Adding "require valid-user" doesn't help because it gives the error
> message 
> 
> configuration error:  couldn't perform authentication. AuthType not set!:

Well, try requiring basic http auth then.  The name/password will go
over the encrypted SSL link.  No need for a user-file, I suspect.

  AuthType Basic
  AuthName "Subversion repository"
  Require valid-user
  #### no need:  AuthUserFile /usr/local/svn/userfile



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Logging SSL-authenticated users

Posted by "Martin v. Löwis" <ma...@v.loewis.de>.

Sander Striker wrote:

> Grmbl.  Indeed, mod_ssl sets the Authorization header internally,
> so you need to 'Require valid-user' aswell, otherwise r->user won't
> get set.

Please see my response to Ben. If I do that, I also need AuthType Basic.
If I do that, I also need an AuthUserFile. If I do that, I get a
commit failure, as the MERGE request fails (even though earlier requests
in the same commit operation succeed). Apache logs my DN in these 
earlier requests, so atleast that part seems to work.

However, even if it would work, it would be unsatisfying. I only want
the CN to show up in the SVN log. The full DN might be useful in a
global PKI, but is too verbose to identify users.

> mod_authn_ssl anyone? ;)

It may be the case that this can be fixed with a new module, or
with a new feature in the SSL module, e.g.

SSLUserName %{SSL_CLIENT_S_DN_CN}

However, I believe it can *also* be fixed inside mod_dav_svn, by
hard-coding a find-the-user strategy:
1. If req->user is non-null and non-empty, use that
2. If not, see if there is a SSL subject CN; if so, use that.
3. If not, see if there is a SSL subject Email; if so, use that.
4. If not, see if there is a SSL subject uid; if so, use that.
5. If not, log an anonymous access.

That strategy would satisfy my needs. If users would request
different strategies, you could still offer

SVNUserName %{SSL_CLIENT_S_DN_CN}

or, even more powerful

SVNUserName %{REMOTE_USER} or %{SSL_CLIENT_S_DN_CN} \
    or %{SSL_CLIENT_S_DN_Email}

Regards,
Martin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

RE: Logging SSL-authenticated users

Posted by Sander Striker <st...@apache.org>.

> From: Martin v. Lowis [mailto:martin@v.loewis.de]
> Sent: Thursday, May 15, 2003 10:01 AM

> Sander Striker wrote:
> > FakeBasicAuth 
> [...]
> > So apparently your certs Subject DN is empty.
> 
> Notice that this conclusion, strictly speaking, is invalid:
> All the documentation says is that the standard Basic auth mechanism 
> then works. It does *not* state that req->user is set to the DN,
> which is what mod_dav_svn uses.

/me looks at code...

Grmbl.  Indeed, mod_ssl sets the Authorization header internally,
so you need to 'Require valid-user' aswell, otherwise r->user won't
get set.

mod_authn_ssl anyone? ;)

Sander

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Logging SSL-authenticated users

Posted by "Martin v. Löwis" <ma...@v.loewis.de>.

Sander Striker wrote:
> FakeBasicAuth 
[...]
> So apparently your certs Subject DN is empty.

Notice that this conclusion, strictly speaking, is invalid:
All the documentation says is that the standard Basic auth mechanism 
then works. It does *not* state that req->user is set to the DN,
which is what mod_dav_svn uses.

I see something different from what David sees, and I have
studied two scenarios, which I can all explain consistently
with the Apache documentation

1. I add *only* +FakeBasicAuth, and don't add AuthType etc
    to the Location. I then can perform commits just fine,
    and "anonymous" gets logged. This may be the case as
    no Apache authentication is performed at all, so the
    HTTP Authentication: header which mod_ssl adds is never
    evaluated (notice that mod_ssl does *not* set req->user).

    I could explain the difference that David sees by
    assuming that he uses a different client, one that
    displays absent authors as "(no author)" instead of
    "anonymous".

2. I also add AuthType Basic. It then forces me to also
    add a basic user file, which I do. The SVN client performs
    a number of successful HTTP interactions, until eventually
    the MERGE request is rejected as unauthorized, and the
    commit fails. Even if this would work, it would not be
    satisfying, as it requires me to maintain a fake user file
    of authorized users. I meant to express authorization with
    a SSLRequire formula instead.

It would probably also log the full DN in the svn log,
whereas I would prefer it to log the CN only (as this is
sufficient to indicate authorship).

Regards,
Martin


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

RE: Logging SSL-authenticated users

Posted by Sander Striker <st...@apache.org>.

> From: David Waite [mailto:mass@akuma.org]
> Sent: Wednesday, May 14, 2003 11:54 PM

> This gives an author of "(no author)"

"
FakeBasicAuth 

When this option is enabled, the Subject Distinguished Name (DN) of the
Client X509 Certificate is translated into a HTTP Basic Authorization
username. This means that the standard Apache authentication methods
can be used for access control. The user name is just the Subject of
the Client's X509 Certificate (can be determined by running OpenSSL's
openssl x509 command: openssl x509 -noout -subject -in certificate.crt).
Note that no password is obtained from the user. Every entry in the
user file needs this password: ``xxj31ZMTZzkVA'', which is the
DES-encrypted version of the word `password''. Those who live under
MD5-based encryption (for instance under FreeBSD or BSD/OS, etc.)
should use the following MD5 hash of the same word:
``$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/''.
"

So apparently your certs Subject DN is empty.


Sander

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Logging SSL-authenticated users

Posted by David Waite <ma...@akuma.org>.

This gives an author of "(no author)"

-David Waite

Sander Striker wrote:

>>From: martin@v.loewis.de [mailto:martin@v.loewis.de]
>>Sent: Wednesday, May 14, 2003 11:18 PM
>>    
>>
>
>  
>
>>Ben Collins-Sussman <su...@collab.net> writes:
>>
>>    
>>
>>>I wonder why the username field in the apache request_rec structure
>>>isn't being filled in.  Maybe the server just need to "require
>>>valid-user"?
>>>      
>>>
>>The user name (r->user) is not set because mod_ssl simply never sets
>>it. Adding "require valid-user" doesn't help because it gives the error
>>message 
>>    
>>
>
>Try:
>
>  SSLOptions +FakeBasicAuth
>
>
>Sander
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: dev-help@subversion.tigris.org
>
>  
>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Logging SSL-authenticated users

Posted by "Martin v. Löwis" <ma...@v.loewis.de>.

"Sander Striker" <st...@apache.org> writes:

> > The user name (r->user) is not set because mod_ssl simply never sets
> > it. Adding "require valid-user" doesn't help because it gives the error
> > message 
> 
> Try:
> 
>   SSLOptions +FakeBasicAuth

That does not change anything.

Regards,
Martin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

RE: Logging SSL-authenticated users

Posted by Sander Striker <st...@apache.org>.

> From: martin@v.loewis.de [mailto:martin@v.loewis.de]
> Sent: Wednesday, May 14, 2003 11:18 PM

> Ben Collins-Sussman <su...@collab.net> writes:
> 
> > I wonder why the username field in the apache request_rec structure
> > isn't being filled in.  Maybe the server just need to "require
> > valid-user"?
> 
> The user name (r->user) is not set because mod_ssl simply never sets
> it. Adding "require valid-user" doesn't help because it gives the error
> message 

Try:

  SSLOptions +FakeBasicAuth


Sander

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Logging SSL-authenticated users

Posted by "Martin v. Löwis" <ma...@v.loewis.de>.

Ben Collins-Sussman <su...@collab.net> writes:

> I wonder why the username field in the apache request_rec structure
> isn't being filled in.  Maybe the server just need to "require
> valid-user"?

The user name (r->user) is not set because mod_ssl simply never sets
it. Adding "require valid-user" doesn't help because it gives the error
message 

configuration error:  couldn't perform authentication. AuthType not set!:

Regards,
Martin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Logging SSL-authenticated users

Posted by Ben Collins-Sussman <su...@collab.net>.

"Martin v. Löwis" <ma...@v.loewis.de> writes:

> When I authenticate to subversion using SSL client certificates, svn
> log will report 'anonymous'.
> 
> Is there anything that can be done about this? I would prefer if
> SSL_CLIENT_S_DN_CN would get logged.

I wonder why the username field in the apache request_rec structure
isn't being filled in.  Maybe the server just need to "require
valid-user"?

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org