Kerberos authentication

[Ken Dreyer]

I recently hacked Kerberos authentication onto the Gitorious web interface. In conjunction with Apache's mod_auth_kerb, the Rails app pulls the username out of request.env['REMOTE_USER'] and uses that in a manner similar to the current code's OpenID handling: If the user doesn't yet exist in the database, then use "kerberos_build" / "kerberos_create" methods in the user_controller to create his or her account. If the user does exist, just log them in.

The current Gitorious code assumes that any form of authentication is going to happen via Rails' web forms - either an OpenID URL, or a username/password combo. There's not much room to delegate authentication up to Apache. This affects the mod_auth_kerb SPNEGO use case, but it also affects efforts to support other Apache authentication mechanisms, like SSL client cert authentication via mod_ssl. I ended up modifying the session_controller to do a "using_kerberos?" check within the "create" method, but I'm not sure this is the best approach. I'd love to hear ideas from someone who knows more about Rails and Gitorious :)

It would also be awesome to combine this Kerberos auth support along with the LDAP features that are present in the latest Gitorious versions. I'm not sure how straightforward it would be to combine these, though. I would only want to use the directory information lookup portions of the code in order to pre-populate information about a user, and skip the password-verification parts.

And of course, it would also be great to support Kerberos auth for SSH, in addition to the web interface. But I haven't gotten that far :)

[Ken Dreyer]

On Wed, Apr 11, 2012 at 8:10 PM, Ken Dreyer <ktdr...@ktdreyer.com> wrote:
> I recently hacked Kerberos authentication onto the Gitorious web interface.

I ended up implementing this in a less hackish way, with a proper
Gitorious::Authentication::KerberosAuthentication module. The core
code changes are not as daunting now.

I added a "authenticate_http" method to the main
Gitorious::Authentication module, to support authentication modules
that do not use a username+password combination.

Lastly, I added an "http" method to the sessions controller, which
will handle single sign-on authentication.

Patch against master is attached.

[Marius Mårnes Mathiesen]

Ken,

Great work! I know next to nothing about Kerberos, but it's been on my todo list for a while to investigate how to support it in Gitorious.

I see that you had to do quite some legwork to allow for an authentication API that doesn't require an explicit username and password. I'd really prefer a single authentication API than branching logic in the client code. 

The authentication modules probably should take a single parameter, not an explicit username/password combination. This way, "your" module would receive the HTTP request as its parameter to authenticate (instead of the separate authenticate_http method). We'll just wrap the existing email address/password combination into an object and pass that to the other authentication modules, eg.: 

module Gitorious

  module Authentication

    class DatabaseAuthentication

      def authenticate(credentials)

        User.authenticate(credentials.username, credentials.password)

      end

    end

  end

end

I'm thinking that this would make your code even easier to read, what do you think?

And again: thanks! We really appreciate this.

Cheers,

- Marius

--
To post to this group, send email to gito...@googlegroups.com
To unsubscribe from this group, send email to
gitorious+...@googlegroups.com

--
Marius Mårnes Mathiesen
Rubyist, Shortcut AS
Tel.: (+47) 92 60 95 38.

http://shortcut.no

[Ken Dreyer]

On Tue, Apr 17, 2012 at 2:32 AM, Marius Mårnes Mathiesen
<marius.m...@gmail.com> wrote:
> Great work! I know next to nothing about Kerberos, but it's been on my todo
> list for a while to investigate how to support it in Gitorious.

Thanks! I appreciate your review and your feedback.

I implemented your suggestion for modifying the auth plugin API, and
broke that off into my first patch. I tried to update the test suite
to match this change.

Kerberos auth is in the second patch. It is similar the patch I
previously emailed, with the following improvements:
- Add a "pretty" HTTP 401 error page to match the rest of Gitorious's
look and feel. The web server will show this error if the user's
Kerberos credentials are missing or invalid, or if the user's browser
is not properly configured for Kerberos authentication.
- When auto-registering a user, set the default email address to use
the user's original Kerberos principal, rather than the sanitized
Gitorious username.
- Add a basic set of tests.

Both patches are attached, rebased against current master (430eb2bda).
Please let me know if these look ok :)

- Ken

[Ken Dreyer]

On Mon, Apr 23, 2012 at 9:20 AM, Ken Dreyer <ktdr...@ktdreyer.com> wrote:
> Both patches are attached, rebased against current master (430eb2bda).
> Please let me know if these look ok :)

Gitorious devs,

If my approach here is ok, please let me know and I'll submit a merge
request to get this into mainline.

- Ken

[Marius Mårnes Mathiesen]

Ken,

First of all: sorry for being unresponsive.

I think this looks really good, and I'd love it if you'd submit a merge request for it.

Thanks - this is really appreciated!

Cheers,

- Marius

[Ken Dreyer]

Thanks for the encouragement. I've submitted the merge request here:
https://gitorious.org/gitorious/mainline/merge_requests/202

- Ken