Re: X509 login patches
Hi again, On Dec 14, 2009, at 10:52 PM, Christos Triantafyllidis wrote: Hi Mike, first of all i need to clarify that i'm not koji expert (as i said i'm using it only a few weeks). On Dec 14, 2009, at 9:42 PM, Mike Bonnet wrote: koji-hub already supports a DNUsernameComponent option. Rather than introduce a new config option, I think I'd rather see "DNUsernameComponent=DN" special-cased to mean "use the whole DN". I don't see any env. vars other than DN that would be useful for authentication. Hm that sounds like a cleaner approach! Thanks. I'm going to implemented probably later today... DONE! Christos smime.p7s Description: S/MIME cryptographic signature -- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
Re: X509 login patches
Hi Mike, first of all i need to clarify that i'm not koji expert (as i said i'm using it only a few weeks). On Dec 14, 2009, at 9:42 PM, Mike Bonnet wrote: koji-hub already supports a DNUsernameComponent option. Rather than introduce a new config option, I think I'd rather see "DNUsernameComponent=DN" special-cased to mean "use the whole DN". I don't see any env. vars other than DN that would be useful for authentication. Hm that sounds like a cleaner approach! Thanks. I'm going to implemented probably later today... One special case that i can think is if one would like to use the issuer's DN or any part of it but this is not the case for me so i can skip it. One case that (i think) is not covered even from my approach though is the usage of an X509 extension of the certificate (i.e. the SubjectAlternativeNames) but for now i can live without them. Christos smime.p7s Description: S/MIME cryptographic signature -- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
Re: X509 login patches
On 14 Δεκ 2009, at 9:32 μ.μ., Steve Traylen wrote: What did you do about the email address? It normally uses c...@configured.org Well it normally uses usern...@domain where in my case it already invalid. I'm planning to extend the users table to include also email. So now it is d...@domain. I should look at the patch of course. Steve Christos -- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
Re: X509 login patches
On 12/14/2009 02:03 PM, Christos Triantafyllidis wrote: > Hi all and welcome me to the list :), Welcome, and thanks for the patches! Comments in-line. > i'm using koji since a few week and i needed X509 authentication. > Unfortunately current support for x509 was limited to: > a) Use of the CN part only from the subject DN as the username > Although traditionally CN can be the "username" of the user there are > cases (like in our PKI) where CN is just "Christos Triantafyllidis" and > of course many users can have the same name but different DNs. To avoid > this but also keep the backwards compatibility i have introduced a new > variable to be exported by both apache config (for git-web) and hub.conf > (for the rest of the tools) called EnvVarForUserName which defines which > variable to use as Username. For my case i have "EnvVarForUserName = > SSL_CLIENT_S_DN" which uses the whole DN as username. koji-hub already supports a DNUsernameComponent option. Rather than introduce a new config option, I think I'd rather see "DNUsernameComponent=DN" special-cased to mean "use the whole DN". I don't see any env. vars other than DN that would be useful for authentication. > b) Keep asking the user to provide their pass-phrase many times for the > the same operation > This leads (IMHO) many users to use password-less certificates. > Unfortunately this is not acceptable according to our PKI policy so i > added a callback to cache the passphrase within each koji execution. This looks very interesting, thanks. I'll see about testing it locally and merging it. I wonder if this could be extended to integrate with gnome-keyring (or similar) to provide once-per-session login for SSL certificates. I'll look into this. > I have created some patches to both this limitations and i have > uploaded the to my git repository[1]. Feel free to use/clone them. > > Best regards, > Christos Triantafyllidis > > [1] http://git.afroditi.hellasgrid.gr/git/grid.auth.gr/koji.git > > > > -- > Fedora-buildsys-list mailing list > Fedora-buildsys-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-buildsys-list -- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
Re: X509 login patches
On Mon, Dec 14, 2009 at 8:03 PM, Christos Triantafyllidis wrote: > Hi all and welcome me to the list :), > > i'm using koji since a few week and i needed X509 authentication. > Unfortunately current support for x509 was limited to: > a) Use of the CN part only from the subject DN as the username > Although traditionally CN can be the "username" of the user there are cases > (like in our PKI) where CN is just "Christos Triantafyllidis" and of course > many users can have the same name but different DNs. To avoid this but also > keep the backwards compatibility i have introduced a new variable to be > exported by both apache config (for git-web) and hub.conf (for the rest of > the tools) called EnvVarForUserName which defines which variable to use as > Username. For my case i have "EnvVarForUserName = SSL_CLIENT_S_DN" which > uses the whole DN as username. What did you do about the email address? It normally uses c...@configured.org I should look at the patch of course. Steve > > b) Keep asking the user to provide their pass-phrase many times for the the > same operation > This leads (IMHO) many users to use password-less certificates. > Unfortunately this is not acceptable according to our PKI policy so i added > a callback to cache the passphrase within each koji execution. > > I have created some patches to both this limitations and i have uploaded > the to my git repository[1]. Feel free to use/clone them. > > Best regards, > Christos Triantafyllidis > > [1] http://git.afroditi.hellasgrid.gr/git/grid.auth.gr/koji.git > -- > Fedora-buildsys-list mailing list > Fedora-buildsys-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-buildsys-list > -- Steve Traylen -- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
X509 login patches
Hi all and welcome me to the list :), i'm using koji since a few week and i needed X509 authentication. Unfortunately current support for x509 was limited to: a) Use of the CN part only from the subject DN as the username Although traditionally CN can be the "username" of the user there are cases (like in our PKI) where CN is just "Christos Triantafyllidis" and of course many users can have the same name but different DNs. To avoid this but also keep the backwards compatibility i have introduced a new variable to be exported by both apache config (for git-web) and hub.conf (for the rest of the tools) called EnvVarForUserName which defines which variable to use as Username. For my case i have "EnvVarForUserName = SSL_CLIENT_S_DN" which uses the whole DN as username. b) Keep asking the user to provide their pass-phrase many times for the the same operation This leads (IMHO) many users to use password-less certificates. Unfortunately this is not acceptable according to our PKI policy so i added a callback to cache the passphrase within each koji execution. I have created some patches to both this limitations and i have uploaded the to my git repository[1]. Feel free to use/clone them. Best regards, Christos Triantafyllidis [1] http://git.afroditi.hellasgrid.gr/git/grid.auth.gr/koji.git smime.p7s Description: S/MIME cryptographic signature -- Fedora-buildsys-list mailing list Fedora-buildsys-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-buildsys-list
