3

Is it possible, to force apache to ask for password only if user don't have client-certificate installed?

I'm almost sure, that this is possible, but I'm not able to find any confirmation anywhere.

Is it possible to configure apache to act like this:

If user will have client-certificate - apache will allow connection to webpage without any problem or question. If user-certificate on the client-side will not be available, it will ask for basic auth authentication - so it will ask for password?

How to configure it? I'm fighting this since morning without any solution even to just stick to it.

Lisek
  • 309
  • 2
  • 7
  • 15
  • You did read the [manual](http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions) and especially the `SSLOptions +FakeBasicAuth` section? – HBruijn Feb 24 '14 at 12:43
  • Sure I did ;) But not sure I really understand it. Here is something i 've tried: [link]http://httpd.apache.org/docs/trunk/ssl/ssl_howto.html#certauthenticate But it's not working as i want. 1. It asks for certificate. If no certificate - no access is granted. If I give certificate - access is granted and Basic Auth is triggered asking for login and password. But it's not accepting password i created in file with htpasswd, instead it tries to validate user created from certificate data. I've tried to create such user manuall, but it's not working either. So I'm stuck ;) – Lisek Feb 24 '14 at 15:24
  • once Again - what i need is: if certificate provided - access granted. if certificate absent - ask for password, and if validated - grant access. Right now, it asks for password after certificate validation. Tried with SSLRequire optional – Lisek Feb 24 '14 at 15:28
  • OK. So It works like this right now. If no certificate - it's ok. Ask for password, and if typed correctly allows to access site. If certificate will be provided auth should not appear - but it appears. In error.log i've got password mismatch for user: /C=Something/ST=Something/L=Something/O=Something/OU=Something/CN=backup-something.com - and CN is my server's name also. I think apache config is ok - but i need to prepare passfile with htpasswd some special way, or create certificate with some special way. But how? ;) – Lisek Feb 24 '14 at 15:39
  • OK. SOLVED! :P What was needed was to change password in passfile to: xxj31ZMTZzkVA witch is "password" (read from apache man) - works great! – Lisek Feb 24 '14 at 15:49
  • The .htpasswd file should contain the users that authenticate with client certs as well the ones using basic auth. The username in the password file is the SubjectName as set in the client certificate. `openssl x509 -noout -subject -in client-certificate.crt` will show that username. The "encrypted" password in the password file must be `xxj31ZMTZzkVA` for all users that authenticate with a client certificate. And SSLVerifyClient should be optional – HBruijn Feb 24 '14 at 15:50

1 Answers1

1

Here is a script to get the entries for the password file from the certificates: (see also https://serverfault.com/posts/747107)

In the .fakehttpsauth you need to put entries like:

/C=US/ST=CA/O=Doe Inc/CN=John Doe/emailAddress=john@doe.com:xxj31ZMTZzkVA

Here is a script to create such entries from your certificates:

#!/bin/bash
# export the certificates in fake auth format
# see https://serverfault.com/questions/533639/apache-authentication-with-ssl-certificate-and-sslusername
# WF 2016-01-06
fakepass=`openssl passwd -crypt -salt xx password`
for c in *.crt 
do
  openssl x509 -in $c -text  | grep Subject: | gawk -v fakepass=$fakepass '
BEGIN { FS="," }
{ 
  gsub("Subject: ","",$0)
  for (i=1;i<=NF;i++) {
    f=trim($i)
    printf("/%s",f);
  }
  printf(":%s\n",fakepass);
}

# see https://gist.github.com/andrewrcollins/1592991
function ltrim(s) { sub(/^[ \t\r\n]+/, "", s); return s }
function rtrim(s) { sub(/[ \t\r\n]+$/, "", s); return s }
function trim(s)  { return rtrim(ltrim(s)); }
'
done
Community
  • 1
Wolfgang Fahl
  • 593
  • 1
  • 6
  • 14