Skip to content

Enable authentication in Redmine using SSL client certificates

Notifications You must be signed in to change notification settings

skreuter/redmine_ssl_auth

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Redmine SSL auth plugin for Redmine 2.x

This redmine plugin enables authentication using SSL client certificates. This fork adds support of the REMOTE_USER environment variable set by apache for all users authenticated. In combination with the FakeBasicAuth this contains the DN of a client certificate.

The original module can be found on github.com/koke/redmine_ssl_auth.git. This fork is based on the excellent port to Redmine 2.x by github.com/tranthamp/redmine_ssl_auth.git.

Usage

It’s very simple

  • Install the plugin:

    cd YOURREDMINESRC/plugins
    git clone git://github.com/seeraven/redmine_ssl_auth.git
  • Follow the note of tranthamp:

    In order for this plugin to work correctly, you must comment out the
    default root and login routes in the redmine app's config/routes.rb. This
    is due to the fact that those routes are matched before the plugin's routes.

    So edit your config/routes.rb file now!

  • Just to be on the safe side, perform the plugin migration stuff:

    rake redmine:plugins:migrate RAILS_ENV=production
  • Restart your webserver:

    /etc/init.d/apache2 restart
  • Configure apache for SSL authentication (see Configuration)

  • Visit YOURSITE/login and it will login automatically

Notes

  • This plugin expects the CN of the certificate to be an email address

  • A user with that email address should exist in the database

  • This doesn’t check any password, so implement certificate verification in Apache

  • You can visit /login?skip_ssl=1 to skip SSL authentication and do regular login

Configuration

Nice tutorial: www.vanemery.com/Linux/Apache/apache-SSL.html

In my case, I find this to be the configuration I wanted

SSLEngine on
SSLProtocol all 
SSLCipherSuite HIGH:MEDIUM

SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLCACertificateFile /etc/apache2/ssl/ca.crt

SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars     # <= This takes much time and is not necessary with this version!
SSLOptions +FakeBasicAuth

<Location /login/ssl>
  SSLVerifyClient require
</Location>

<Location />
   AuthName "eBox HQ"
   AuthType Basic
   AuthUserFile /etc/apache2/passwd/team
   #Require valid-user
</Location>

By making SSLVerifyClient optional and commenting Require valid-user, it’s possible to login without a certificate, using the regular login/password. A link is shown in the login form to require SSL authentication, see the Location /login/ssl section in the apache configuration.

If you want to force your users to use certificates, change SSLVerifyClient to require and uncomment Require valid-user

Questions

To jbernal@ebox-platform.com

Please, don’t ask about apache configuration. I don’t know much more than it’s already here. Email about the plugin (bugs, patches, suggestions, …) is welcome :)

About

Enable authentication in Redmine using SSL client certificates

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Ruby 100.0%