Welcome to Geeklog, Anonymous Thursday, July 25 2024 @ 02:59 am EDT


Root : Add-ons : 
Category: Add-ons
Tags: -
Date: 2003-04-28 15:10
Size: 3.13 KB
MD5: d20161028f453670cba4de7cad65bfa6
Submitter: Tony
Web: -
Rating: 0.00
Popularity: 1381   POP
I'm planning on using Geeklog inside a corporate environment. To satisfy our security requirements, we will be using SSL for all access. On top of this, we need strong authentication (more than just username/password and cookies). Therefore, we've decided to use SSL client certificates. After looking through the Geeklog code, one of my collegues and I found that it was pretty easy to add SSL client certificate authentication to Geeklog.
Here's our setup:
Apache 1.3.x + mod_ssl
Geeklog CVS
xca (open source certificate management tool)

Here's how it works:
When a client presents a certificate to Apache, mod_ssl checks it to verify that the certificate has been signed by a trusted authority (via the 'SSLVerifyClient require' directive). After this verification has been done, mod_ssl creates a series of new environmental variables that include details about the client certificate. We've decided to embed a username inside of the 'CN' (common name) entry within our client certificates. Our simple changes to the Geeklog session management functions extract a username out of the proper SSL environmental variable and load a user profile (populating $_USER) based on this.

There's a couple of things I'd like to change eventually. The 'Account Information' page still shows a field that allows users to change their passwords. When using client certs, a user's password is meaningless and it would be nice to just remove this entry. Also, I added a if..then statement around the cookie timeout preference ('cooktime') so it just shows 'disabled for SSL authentication'

It would be really cool if this patch made it into CVS :-)

Oh yeah, for secure Administrative access to Geeklog, just create a client cert with a common name entry of 'Admin'.