X509 login patches
by Christos Triantafyllidis
Hi all and welcome me to the list :),
i'm using koji since a few week and i needed X509 authentication.
Unfortunately current support for x509 was limited to:
a) Use of the CN part only from the subject DN as the username
Although traditionally CN can be the "username" of the user there
are cases (like in our PKI) where CN is just "Christos
Triantafyllidis" and of course many users can have the same name but
different DNs. To avoid this but also keep the backwards compatibility
i have introduced a new variable to be exported by both apache config
(for git-web) and hub.conf (for the rest of the tools) called
EnvVarForUserName which defines which variable to use as Username. For
my case i have "EnvVarForUserName = SSL_CLIENT_S_DN" which uses the
whole DN as username.
b) Keep asking the user to provide their pass-phrase many times for
the the same operation
This leads (IMHO) many users to use password-less certificates.
Unfortunately this is not acceptable according to our PKI policy so i
added a callback to cache the passphrase within each koji execution.
I have created some patches to both this limitations and i have
uploaded the to my git repository[1]. Feel free to use/clone them.
Best regards,
Christos Triantafyllidis
[1] http://git.afroditi.hellasgrid.gr/git/grid.auth.gr/koji.git