Welcome to Geeklog, Anonymous Sunday, December 22 2024 @ 12:45 am EST
Downloads
I'm planning on using Geeklog inside a corporate environment. To satisfy our security requirements, we will be using SSL for all access. On top of this, we need strong authentication (more than just username/password and cookies). Therefore, we've decided to use SSL client certificates. After looking through the Geeklog code, one of my collegues and I found that it was pretty easy to add SSL client certificate authentication to Geeklog.
Here's our setup:
Apache 1.3.x + mod_ssl
Geeklog CVS
xca (open source certificate management tool)
Here's how it works:
When a client presents a certificate to Apache, mod_ssl checks it to verify that the certificate has been signed by a trusted authority (via the 'SSLVerifyClient require' directive). After this verification has been done, mod_ssl creates a series of new environmental variables that include details about the client certificate. We've decided to embed a username inside of the 'CN' (common name) entry within our client certificates. Our simple changes to the Geeklog session management functions extract a username out of the proper SSL environmental variable and load a user profile (populating $_USER) based on this.
There's a couple of things I'd like to change eventually. The 'Account Information' page still shows a field that allows users to change their passwords. When using client certs, a user's password is meaningless and it would be nice to just remove this entry. Also, I added a if..then statement around the cookie timeout preference ('cooktime') so it just shows 'disabled for SSL authentication'
It would be really cool if this patch made it into CVS :-)
Oh yeah, for secure Administrative access to Geeklog, just create a client cert with a common name entry of 'Admin'.
Apache 1.3.x + mod_ssl
Geeklog CVS
xca (open source certificate management tool)
Here's how it works:
When a client presents a certificate to Apache, mod_ssl checks it to verify that the certificate has been signed by a trusted authority (via the 'SSLVerifyClient require' directive). After this verification has been done, mod_ssl creates a series of new environmental variables that include details about the client certificate. We've decided to embed a username inside of the 'CN' (common name) entry within our client certificates. Our simple changes to the Geeklog session management functions extract a username out of the proper SSL environmental variable and load a user profile (populating $_USER) based on this.
There's a couple of things I'd like to change eventually. The 'Account Information' page still shows a field that allows users to change their passwords. When using client certs, a user's password is meaningless and it would be nice to just remove this entry. Also, I added a if..then statement around the cookie timeout preference ('cooktime') so it just shows 'disabled for SSL authentication'
It would be really cool if this patch made it into CVS :-)
Oh yeah, for secure Administrative access to Geeklog, just create a client cert with a common name entry of 'Admin'.