Project

General

Profile

Feature #2481

[mod_auth] [patch] allow SSL clientcert authenticated users to bypass AUTH

Added by arved over 6 years ago. Updated over 2 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
mod_auth
Target version:
1.4.46
Start date:
2013-03-11
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:
No

Description

In my setup a user can authenticate either via SSL client cert OR via AUTH.

It is redundant to ask a user that is already authenticated with an SSL clientcertificate to type again a password.

So I have added a configvariable whitelistclientcerts. If enabled, mod_auth only proceeds authentication if the user did not provide a valid certificate.

Sample config:

ssl.engine = "enable" 
ssl.pemfile = "/etc/server.pem" 
ssl.verifyclient.activate  = "enable" 
ssl.verifyclient.enforce = "disable" 
ssl.ca-file = "/etc/rootcert.pem" 
auth.backend = "htpasswd" 
auth.backend.htpasswd.userfile = "/etc/htpasswd" 
auth.debug = 2
auth.whitelistclientcert = "enable" 
auth.require = ( "/" => (
                "method" => "basic",
                "realm" => "foobar",
                "require" => "user=admin" 
        )

patch-whitelistclientcert (2.01 KB) patch-whitelistclientcert arved, 2013-03-11 17:54
patch-whitelistclientcert (2.03 KB) patch-whitelistclientcert Improved version arved, 2013-04-15 17:49

Associated revisions

Revision f54d628c (diff)
Added by gstrauss over 2 years ago

[mod_auth] enable optional authz if extern authn (fixes #2481)

Set auth.extern-authn = "enable" to check REMOTE_USER (if set) against
require rules, and proceed if allowed. If REMOTE_USER is not present,
or the require rules do not match, then check configured auth scheme.

REMOTE_USER might be set by another module, e.g. mod_openssl client cert
verification and REMOTE_USER configured with ssl.verifyclient.username)

x-ref:
"[mod_auth] allow SSL clientcert authenticated users to bypass AUTH"
https://redmine.lighttpd.net/issues/2481

History

#1

Updated by arved over 6 years ago

Improved version that does not call openssl functions if there is no SSL connection.

#2

Updated by stbuehler about 6 years ago

I'd rather use something that checks whether con->authed_user (REMOTE_USER env) is already set; I think that should qualify for "user is (already) authenticated".

#3

Updated by gstrauss over 2 years ago

  • Status changed from New to Patch Pending
  • Target version set to 1.4.45
#4

Updated by gstrauss over 2 years ago

  • Target version changed from 1.4.45 to 1.4.46
#5

Updated by gstrauss over 2 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom