View Issue Details

IDProjectCategoryView StatusLast Update
0003303mantisbtsecuritypublic2013-03-15 09:12
ReportermmdolzeAssigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status acknowledgedResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0003303: Use X.509 certificate for authentication
Description

It would be nice to have the possibility to select X.509
certificates for authentication. Certificate handling and checking is already done by the webserver. The certificates e.g. have to contain a "uid" subject name attribut. If this matched a record in mantis user database, the user should be logged automatically in.

TagsNo tags attached.

Relationships

related to 0004235 closedvboctor Support Generic Authentication through Plug-ins 

Activities

ritesh

ritesh

2003-08-21 08:00

reporter   ~0004551

yt

strushb

strushb

2007-07-09 05:39

reporter   ~0014909

See http://www.cacert.org/help.php?id=9 for a PHP example of using certificates

ssimpson

ssimpson

2008-01-22 14:55

reporter   ~0016761

I have created a hack to do this. Since I am going to be upgrading the version, I can make it a real authentication module, but I would like to get it added to the code base, so that I don't have to merge my changes again.

2008-01-24 08:28

 

mantis-1.1.1_to_pki.zip (38,144 bytes)
ssimpson

ssimpson

2008-01-24 08:39

reporter   ~0016792

I just added a file that has a patch to include PKI_Auth. Here are my notes that go with it. I would be happy to put these on the wiki, once the patch is added to the code base.

PKI User Authentication

For PKI Authentication to work there are several prerequisites:

  1. Apache must be configured to require SSL client certs for the entire application. See http://www.cacert.org/help.php?id=9 for a tutorial on how to do this.
  2. User accounts must be manually entered. A link is provided for users with acceptable PKI / x509 Certs to send an email with the required information to the administrator.
  3. The common name field is used for authentication. This should be the user's username. Common names should be unique within the accepted list of PKI domains.
  4. A password must be set in the database that is an md5 hash (or can be cleartext) of the $g_pki_password that is set in the config_inc.php file. This is not used other than to work within the existing Mantis authentication schema.
puchrojo

puchrojo

2013-02-11 04:39

reporter   ~0035100

Broken link von strushb: the new are: http://wiki.cacert.org/HELP/9

It is possible to enable identification with password or with certificate? I would thanks for any info.

ssimpson

ssimpson

2013-02-12 09:31

reporter   ~0035106

With Apache, client certificates can be optional but there are (were?) some bugs with a mixed configuration.

It has been several years since I fought the issue, so not sure if Apache has resolved it or not, but there used to be a problem with large files(packets) being transferred when part of the web server is configured to take certs & part isn't.

But assuming that the Apache issues is resolved or can be worked around, I'm sure that it could be done. It is certainly not as simple as what I have done, but it could be done.

I have code changes for the latest MantisBT to support PKI, but they would have to be packaged up to add here.

azaghal

azaghal

2013-03-15 09:12

reporter   ~0035876

I'm very interested in having this feature added to MantisBT. I'm working on a community project where we'd find this useful.

Would it be possible to see the latest patches you have for current MantisBT version attached to this issue?

I've had a quick look at the 1.1.1 version, and there's certainly some thing I might like to adjust a bit (for start adding options for mapping specific attribute of subject DN to username, or allowing full DN to be used). Mapping some subjectAltName to username could be interesting as well (like e-mail address).

The fixed password thing also look to be a little bit of a hack - any sane way to avoid that one?

As for using client authentication only on part of a website, I think the underlying problem was some security-related issue that's consequence of the TLS protocol itself (iirc)?

Issue History

Date Modified Username Field Change
2003-08-20 19:32 mmdolze New Issue
2003-08-21 08:00 ritesh Note Added: 0004551
2004-07-31 21:07 vboctor Relationship added related to 0004235
2004-08-07 09:28 grangeway Status new => acknowledged
2007-07-09 05:39 strushb Note Added: 0014909
2008-01-22 14:55 ssimpson Note Added: 0016761
2008-01-24 08:28 ssimpson File Added: mantis-1.1.1_to_pki.zip
2008-01-24 08:39 ssimpson Note Added: 0016792
2013-02-11 04:39 puchrojo Note Added: 0035100
2013-02-12 09:31 ssimpson Note Added: 0035106
2013-03-15 09:12 azaghal Note Added: 0035876