X509 login patches

Mike Bonnet mikeb at redhat.com
Mon Dec 14 19:42:11 UTC 2009 

On 12/14/2009 02:03 PM, Christos Triantafyllidis wrote:
> Hi all and welcome me to the list :),

Welcome, and thanks for the patches!  Comments in-line.

>     i'm using koji since a few week and i needed X509 authentication.
> Unfortunately current support for x509 was limited to:
> a) Use of the CN part only from the subject DN as the username
>   Although traditionally CN can be the "username" of the user there are
> cases (like in our PKI) where CN is just "Christos Triantafyllidis" and
> of course many users can have the same name but different DNs. To avoid
> this but also keep the backwards compatibility i have introduced a new
> variable to be exported by both apache config (for git-web) and hub.conf
> (for the rest of the tools) called EnvVarForUserName which defines which
> variable to use as Username. For my case i have "EnvVarForUserName =
> SSL_CLIENT_S_DN" which uses the whole DN as username.

koji-hub already supports a DNUsernameComponent option.  Rather than
introduce a new config option, I think I'd rather see
"DNUsernameComponent=DN" special-cased to mean "use the whole DN".  I
don't see any env. vars other than DN that would be useful for
authentication.

> b) Keep asking the user to provide their pass-phrase many times for the
> the same operation
>   This leads (IMHO) many users to use password-less certificates.
> Unfortunately this is not acceptable according to our PKI policy so i
> added a callback to cache the passphrase within each koji execution.

This looks very interesting, thanks.  I'll see about testing it locally
and merging it.  I wonder if this could be extended to integrate with
gnome-keyring (or similar) to provide once-per-session login for SSL
certificates.  I'll look into this.

>   I have created some patches to both this limitations and i have
> uploaded the to my git repository[1]. Feel free to use/clone them.
> 
> Best regards,
> Christos Triantafyllidis
> 
> [1] http://git.afroditi.hellasgrid.gr/git/grid.auth.gr/koji.git
> 
> 
> 
> --
> Fedora-buildsys-list mailing list
> Fedora-buildsys-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-buildsys-list

More information about the Fedora-buildsys-list mailing list