X509 login patches
Mike Bonnet
mikeb at redhat.com
Mon Dec 14 19:42:11 UTC 2009
On 12/14/2009 02:03 PM, Christos Triantafyllidis wrote:
> Hi all and welcome me to the list :),
Welcome, and thanks for the patches! Comments in-line.
> i'm using koji since a few week and i needed X509 authentication.
> Unfortunately current support for x509 was limited to:
> a) Use of the CN part only from the subject DN as the username
> Although traditionally CN can be the "username" of the user there are
> cases (like in our PKI) where CN is just "Christos Triantafyllidis" and
> of course many users can have the same name but different DNs. To avoid
> this but also keep the backwards compatibility i have introduced a new
> variable to be exported by both apache config (for git-web) and hub.conf
> (for the rest of the tools) called EnvVarForUserName which defines which
> variable to use as Username. For my case i have "EnvVarForUserName =
> SSL_CLIENT_S_DN" which uses the whole DN as username.
koji-hub already supports a DNUsernameComponent option. Rather than
introduce a new config option, I think I'd rather see
"DNUsernameComponent=DN" special-cased to mean "use the whole DN". I
don't see any env. vars other than DN that would be useful for
authentication.
> b) Keep asking the user to provide their pass-phrase many times for the
> the same operation
> This leads (IMHO) many users to use password-less certificates.
> Unfortunately this is not acceptable according to our PKI policy so i
> added a callback to cache the passphrase within each koji execution.
This looks very interesting, thanks. I'll see about testing it locally
and merging it. I wonder if this could be extended to integrate with
gnome-keyring (or similar) to provide once-per-session login for SSL
certificates. I'll look into this.
> I have created some patches to both this limitations and i have
> uploaded the to my git repository[1]. Feel free to use/clone them.
>
> Best regards,
> Christos Triantafyllidis
>
> [1] http://git.afroditi.hellasgrid.gr/git/grid.auth.gr/koji.git
>
>
>
> --
> Fedora-buildsys-list mailing list
> Fedora-buildsys-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
More information about the Fedora-buildsys-list
mailing list