SSL Authentication
Description
This plugin allows authentication of users by making use of SSL client certificates.
Bugs/Feature Requests
Existing bugs and feature requests for SslAuthenticationPlugin are here.
If you have any issues, create a new ticket.
Download and Source
Download the zipped source, check out using Subversion, or browse the source with Trac.
Example
Currently a small patch is required to be applied against Trac in order to get this working (this patch is against 10.4-2, the -2 represents a Debian package revision):
diff -Nur /usr/share/python-support/trac/trac/web/main.py /var/lib/python-support/python2.4/trac/web/main.py --- /usr/share/python-support/trac/trac/web/main.py 2007-05-30 03:23:40.000000000 +0200 +++ /var/lib/python-support/python2.4/trac/web/main.py 2008-04-26 21:55:45.000000000 +0200 @@ -180,7 +180,13 @@ if not getattr(chosen_handler, 'anonymous_request', False): try: req.authname = self.authenticate(req) - req.perm = PermissionCache(self.env, req.authname) + try: + if req.perm_user: + req.perm = PermissionCache(self.env, req.perm_user) + else: + req.perm = PermissionCache(self.env, req.authname) + except: + req.perm = PermissionCache(self.env, req.authname) req.session = Session(self.env, req) req.form_token = self._get_form_token(req) except:
When this patch is applied you can use a virtual host config section similar to this (assuming you're using Apache):
<VirtualHost *:443> ServerName trac.example.org Alias /chrome/common /usr/share/trac/htdocs SSLEngine on SSLCertificateFile /etc/apache2/ssl/trac.example.org_publickey.pem SSLCertificateKeyFile /etc/apache2/ssl/trac.example.org_privatekey.pem # I use CACert's root certificate, you can get it from here: http://www.cacert.org/index.php?id=3 SSLCACertificateFile /etc/apache2/ssl/CACert_class_1_and_3.pem SSLVerifyClient none SSLOptions -StrictRequire <Directory "/usr/share/trac/htdocs"> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory> <Location "/test"> SetHandler mod_python PythonHandler trac.web.modpython_frontend PythonOption TracEnv /var/trac/test PythonOption TracUriRoot /personal/ # Authentication # Require SSL connection to access this location SSLRequireSSL # Requires client verification, and verifies up to 2 intermediary CAs SSLVerifyClient optional SSLVerifyDepth 2 # Creates additional environment variables including client certificate data SSLOptions +StdEnvVars # Requires the above SSLRequireSSL directive to be succesfull as well as # the SSLRequire directive below, if it isn't succesfull Apache will # refuse access to this page. SSLOptions +StrictRequire # Requires, that the client's CN and e-mail in the certificates equals one of the below SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 </Location> # Lets still allow basic HTTP authentication <Location "/test/login"> AuthType Basic AuthName "Test Trac" AuthUserFile /etc/apache2/passwd/trac.example.org/test.passwd Require valid-user </Location> CustomLog /var/log/apache2/trac.example.org/access.log combined ErrorLog /var/log/apache2/trac.example.org/error.log </VirtualHost>
If the plugin is installed and enabled, and the patch is applied, you will be able to automatically log in with the email address in your browser's client certificate.
You can create yourself a client certificate at CACert.
Recent Changes
[3564] by giel on 04/26/08 22:33:33
Initial import
[3563] by giel on 04/26/08 22:30:52
New hack SslAuthenticationPlugin, created by giel
Author/Contributors
Author: giel
Contributors:
