I recently hacked Kerberos authentication onto the Gitorious web interface.
In conjunction with Apache's mod_auth_kerb, the Rails app pulls the
username out of request.env['REMOTE_USER'] and uses that in a manner
similar to the current code's OpenID handling: If the user doesn't yet
exist in the database, then use "kerberos_build" / "kerberos_create"
methods in the user_controller to create his or her account. If the user
does exist, just log them in.

The current Gitorious code assumes that any form of authentication is going
to happen via Rails' web forms - either an OpenID URL, or a
username/password combo. There's not much room to delegate authentication
up to Apache. This affects the mod_auth_kerb SPNEGO use case, but it also
affects efforts to support other Apache authentication mechanisms, like SSL
client cert authentication via mod_ssl. I ended up modifying the
session_controller to do a "using_kerberos?" check within the "create"
method, but I'm not sure this is the best approach. I'd love to hear ideas
from someone who knows more about Rails and Gitorious :)

It would also be awesome to combine this Kerberos auth support along with
the LDAP features that are present in the latest Gitorious versions. I'm
not sure how straightforward it would be to combine these, though. I would
only want to use the directory information lookup portions of the code in
order to pre-populate information about a user, and skip the
password-verification parts.

And of course, it would also be great to support Kerberos auth for SSH, in
addition to the web interface. But I haven't gotten that far :)

I added a "authenticate_http" method to the main
Gitorious::Authentication module, to support authentication modules
that do not use a username+password combination.

Lastly, I added an "http" method to the sessions controller, which
will handle single sign-on authentication.

Patch against master is attached.

0001-implement-Kerberos-authentication.patch 13K Download

Ken,
Great work! I know next to nothing about Kerberos, but it's been on my todo
list for a while to investigate how to support it in Gitorious.

I see that you had to do quite some legwork to allow for an authentication
API that doesn't require an explicit username and password. I'd really
prefer a single authentication API than branching logic in the client code.

The authentication modules probably should take a single parameter, not an
explicit username/password combination. This way, "your" module would
receive the HTTP request as its parameter to authenticate (instead of the
separate authenticate_http method). We'll just wrap the existing email
address/password combination into an object and pass that to the other
authentication modules, eg.:

module Gitorious
  module Authentication
    class DatabaseAuthentication
      def authenticate(credentials)
        User.authenticate(credentials.username, credentials.password)
      end
    end
  end
end

I'm thinking that this would make your code even easier to read, what do
you think?

And again: thanks! We really appreciate this.

Cheers,
- Marius

http://shortcut.no

On Tue, Apr 17, 2012 at 2:32 AM, Marius Mårnes Mathiesen

I implemented your suggestion for modifying the auth plugin API, and
broke that off into my first patch. I tried to update the test suite
to match this change.

Kerberos auth is in the second patch. It is similar the patch I
previously emailed, with the following improvements:
-  Add a "pretty" HTTP 401 error page to match the rest of Gitorious's
look and feel. The web server will show this error if the user's
Kerberos credentials are missing or invalid, or if the user's browser
is not properly configured for Kerberos authentication.
- When auto-registering a user, set the default email address to use
the user's original Kerberos principal, rather than the sanitized
Gitorious username.
- Add a basic set of tests.

Both patches are attached, rebased against current master (430eb2bda).
Please let me know if these look ok :)

- Ken

0001-wrap-authenticate-parameters-in-a-credential-object.patch 18K Download

0002-implement-Kerberos-authentication.patch 20K Download

If my approach here is ok, please let me know and I'll submit a merge
request to get this into mainline.

- Ken

I think this looks really good, and I'd love it if you'd submit a merge
request for it.

Thanks - this is really appreciated!

Cheers,
- Marius

- Ken