On 12/14/2009 02:03 PM, Christos Triantafyllidis wrote:
Hi all and welcome me to the list :),
Welcome, and thanks for the patches! Comments in-line.
i'm using koji since a few week and i needed X509
Unfortunately current support for x509 was limited to:
a) Use of the CN part only from the subject DN as the username
Although traditionally CN can be the "username" of the user there are
cases (like in our PKI) where CN is just "Christos Triantafyllidis" and
of course many users can have the same name but different DNs. To avoid
this but also keep the backwards compatibility i have introduced a new
variable to be exported by both apache config (for git-web) and hub.conf
(for the rest of the tools) called EnvVarForUserName which defines which
variable to use as Username. For my case i have "EnvVarForUserName =
SSL_CLIENT_S_DN" which uses the whole DN as username.
koji-hub already supports a DNUsernameComponent option. Rather than
introduce a new config option, I think I'd rather see
"DNUsernameComponent=DN" special-cased to mean "use the whole DN". I
don't see any env. vars other than DN that would be useful for
b) Keep asking the user to provide their pass-phrase many times for
the same operation
This leads (IMHO) many users to use password-less certificates.
Unfortunately this is not acceptable according to our PKI policy so i
added a callback to cache the passphrase within each koji execution.
This looks very interesting, thanks. I'll see about testing it locally
and merging it. I wonder if this could be extended to integrate with
gnome-keyring (or similar) to provide once-per-session login for SSL
certificates. I'll look into this.
I have created some patches to both this limitations and i have
uploaded the to my git repository. Feel free to use/clone them.
Fedora-buildsys-list mailing list