x.509 cert authentication for web interface?
Hi all. I'm wondering if anybody has devised a way to authenticate to the admin/moderator interfaces in Mailman using browser certificates. We try to use them to authenticate to web services wherever possible, and have a fairly widely deployed PKI at my site.
It seems like this should be possible, but I really don't know python and am not very familiar with Mailman's code. We use Apache and mod_ssl, which means that we can make a bunch of environment variables associated with the certificates available to Mailman. In particular, we can find out the email address of the user. It seems like we should be able to look for that email address in the list of admin or moderator addresses and consider the user to be authenticated if it's there. The web server is already doing the necessary work to verify that the certificate is valid, so everything presented to Mailman should be trustworthy.
Any help would be much appreciated.
noah
-- Noah Meyerhans System Administrator MIT Computer Science and Artificial Intelligence Laboratory
On Fri, 2004-01-30 at 14:03, Noah Meyerhans wrote:
Hi all. I'm wondering if anybody has devised a way to authenticate to the admin/moderator interfaces in Mailman using browser certificates. We try to use them to authenticate to web services wherever possible, and have a fairly widely deployed PKI at my site.
It seems like this should be possible, but I really don't know python and am not very familiar with Mailman's code. We use Apache and mod_ssl, which means that we can make a bunch of environment variables associated with the certificates available to Mailman. In particular, we can find out the email address of the user. It seems like we should be able to look for that email address in the list of admin or moderator addresses and consider the user to be authenticated if it's there. The web server is already doing the necessary work to verify that the certificate is valid, so everything presented to Mailman should be trustworthy.
Any help would be much appreciated.
noah
Dude,
Just move the script alias inside the ssl part of your httpd.conf.
On Fri, Jan 30, 2004 at 03:25:24PM -0500, Jon Carnes wrote:
Just move the script alias inside the ssl part of your httpd.conf.
I've already got the script alias in the SSL section of Apache's config. That works fine, but it's most definitely not authenticating based on the x509 certificate presented by the browser. It it supposed to? I haven't seen any indication in the documentation that leads me to believe it is. Please point me to whatever docs I'm missing if I am missing something. Or tell me where in mailman's source code I can find that functionality.
In case I was not clear in my intentions: If the browser presents an x509 certificate that is properly signed by my Certificate Authority, and the email address associated with the certificate is listed in the admin or moderator fields in Mailman, then the user should be considered authenticated. At no point should they be prompted for a password.
noah
-- Noah Meyerhans System Administrator MIT Computer Science and Artificial Intelligence Laboratory
You'll need to dive into the code for that. Mailman is totally and blissfully unaware of such authentications.
Good Luck - Jon Carnes
On Fri, 2004-01-30 at 16:11, Noah Meyerhans wrote:
On Fri, Jan 30, 2004 at 03:25:24PM -0500, Jon Carnes wrote:
Just move the script alias inside the ssl part of your httpd.conf.
I've already got the script alias in the SSL section of Apache's config. That works fine, but it's most definitely not authenticating based on the x509 certificate presented by the browser. It it supposed to? I haven't seen any indication in the documentation that leads me to believe it is. Please point me to whatever docs I'm missing if I am missing something. Or tell me where in mailman's source code I can find that functionality.
In case I was not clear in my intentions: If the browser presents an x509 certificate that is properly signed by my Certificate Authority, and the email address associated with the certificate is listed in the admin or moderator fields in Mailman, then the user should be considered authenticated. At no point should they be prompted for a password.
noah
participants (2)
-
Jon Carnes -
Noah Meyerhans