I recently hacked Kerberos authentication onto the Gitorious web interface. In conjunction with Apache's mod_auth_kerb, the Rails app pulls the username out of request.env['REMOTE_USER'] and uses that in a manner similar to the current code's OpenID handling: If the user doesn't yet exist in the database, then use "kerberos_build" / "kerberos_create" methods in the user_controller to create his or her account. If the user does exist, just log them in.
The current Gitorious code assumes that any form of authentication is going to happen via Rails' web forms - either an OpenID URL, or a username/password combo. There's not much room to delegate authentication up to Apache. This affects the mod_auth_kerb SPNEGO use case, but it also affects efforts to support other Apache authentication mechanisms, like SSL client cert authentication via mod_ssl. I ended up modifying the session_controller to do a "using_kerberos?" check within the "create" method, but I'm not sure this is the best approach. I'd love to hear ideas from someone who knows more about Rails and Gitorious :)
It would also be awesome to combine this Kerberos auth support along with the LDAP features that are present in the latest Gitorious versions. I'm not sure how straightforward it would be to combine these, though. I would only want to use the directory information lookup portions of the code in order to pre-populate information about a user, and skip the password-verification parts.
And of course, it would also be great to support Kerberos auth for SSH, in addition to the web interface. But I haven't gotten that far :)
Ken, Great work! I know next to nothing about Kerberos, but it's been on my todo list for a while to investigate how to support it in Gitorious.
I see that you had to do quite some legwork to allow for an authentication API that doesn't require an explicit username and password. I'd really prefer a single authentication API than branching logic in the client code.
The authentication modules probably should take a single parameter, not an explicit username/password combination. This way, "your" module would receive the HTTP request as its parameter to authenticate (instead of the separate authenticate_http method). We'll just wrap the existing email address/password combination into an object and pass that to the other authentication modules, eg.:
module Gitorious module Authentication class DatabaseAuthentication def authenticate(credentials) User.authenticate(credentials.username, credentials.password) end end end end
I'm thinking that this would make your code even easier to read, what do you think?
On Fri, Apr 13, 2012 at 1:52 AM, Ken Dreyer <ktdre...@ktdreyer.com> wrote: > On Wed, Apr 11, 2012 at 8:10 PM, Ken Dreyer <ktdre...@ktdreyer.com> wrote: > > I recently hacked Kerberos authentication onto the Gitorious web > interface.
> I ended up implementing this in a less hackish way, with a proper > Gitorious::Authentication::KerberosAuthentication module. The core > code changes are not as daunting now.
> I added a "authenticate_http" method to the main > Gitorious::Authentication module, to support authentication modules > that do not use a username+password combination.
> Lastly, I added an "http" method to the sessions controller, which > will handle single sign-on authentication.
> Patch against master is attached.
> -- > To post to this group, send email to firstname.lastname@example.org > To unsubscribe from this group, send email to > email@example.com
-- Marius Mårnes Mathiesen Rubyist, Shortcut AS Tel.: (+47) 92 60 95 38.
On Tue, Apr 17, 2012 at 2:32 AM, Marius Mårnes Mathiesen
<marius.mathie...@gmail.com> wrote: > Great work! I know next to nothing about Kerberos, but it's been on my todo > list for a while to investigate how to support it in Gitorious.
Thanks! I appreciate your review and your feedback.
I implemented your suggestion for modifying the auth plugin API, and broke that off into my first patch. I tried to update the test suite to match this change.
Kerberos auth is in the second patch. It is similar the patch I previously emailed, with the following improvements: - Add a "pretty" HTTP 401 error page to match the rest of Gitorious's look and feel. The web server will show this error if the user's Kerberos credentials are missing or invalid, or if the user's browser is not properly configured for Kerberos authentication. - When auto-registering a user, set the default email address to use the user's original Kerberos principal, rather than the sanitized Gitorious username. - Add a basic set of tests.
Both patches are attached, rebased against current master (430eb2bda). Please let me know if these look ok :)
On Wed, May 2, 2012 at 5:33 AM, Ken Dreyer <ktdre...@ktdreyer.com> wrote:
> On Mon, Apr 23, 2012 at 9:20 AM, Ken Dreyer <ktdre...@ktdreyer.com> wrote:
> > Both patches are attached, rebased against current master (430eb2bda).
> > Please let me know if these look ok :)
> Gitorious devs,
> If my approach here is ok, please let me know and I'll submit a merge
> request to get this into mainline.
First of all: sorry for being unresponsive.
I think this looks really good, and I'd love it if you'd submit a merge
request for it.
On Thu, May 3, 2012 at 11:26 AM, Marius Mårnes Mathiesen
> On Wed, May 2, 2012 at 5:33 AM, Ken Dreyer <ktdre...@ktdreyer.com> wrote:
> I think this looks really good, and I'd love it if you'd submit a merge
> request for it.