Project

General

Profile

Actions
Copy link

Feature #2481

closed

[mod_auth] [patch] allow SSL clientcert authenticated users to bypass AUTH

Added by arved about 12 years ago. Updated about 8 years ago.

Status:
Fixed
Priority:
Normal
Category:
mod_auth
Target version:
1.4.46
ASK QUESTIONS IN Forums:

Description

In my setup a user can authenticate either via SSL client cert OR via AUTH.

It is redundant to ask a user that is already authenticated with an SSL clientcertificate to type again a password.

So I have added a configvariable whitelistclientcerts. If enabled, mod_auth only proceeds authentication if the user did not provide a valid certificate.

Sample config:

ssl.engine = "enable" 
ssl.pemfile = "/etc/server.pem" 
ssl.verifyclient.activate  = "enable" 
ssl.verifyclient.enforce = "disable" 
ssl.ca-file = "/etc/rootcert.pem" 
auth.backend = "htpasswd" 
auth.backend.htpasswd.userfile = "/etc/htpasswd" 
auth.debug = 2
auth.whitelistclientcert = "enable" 
auth.require = ( "/" => (
                "method" => "basic",
                "realm" => "foobar",
                "require" => "user=admin" 
        )

Files

Download all files
patch-whitelistclientcert (2.01 KB) patch-whitelistclientcert arved, 2013-03-11 17:54
patch-whitelistclientcert (2.03 KB) patch-whitelistclientcert Improved version arved, 2013-04-15 17:49

Added by gstrauss about 8 years ago

Revision f54d628c (diff)

[mod_auth] enable optional authz if extern authn (fixes #2481)

Set auth.extern-authn = "enable" to check REMOTE_USER (if set) against
require rules, and proceed if allowed. If REMOTE_USER is not present,
or the require rules do not match, then check configured auth scheme.

REMOTE_USER might be set by another module, e.g. mod_openssl client cert
verification and REMOTE_USER configured with ssl.verifyclient.username)

x-ref:
"[mod_auth] allow SSL clientcert authenticated users to bypass AUTH"
https://redmine.lighttpd.net/issues/2481

Actions
Copy link

Also available in: Atom