redmine_ssl_auth

redmine_ssl_auth copied to clipboard

= Redmine SSL auth plugin

This redmine plugin enables authentication using SSL client certificates

== Usage

It's very simple

• Install the plugin: ruby script/plugin install git://github.com/koke/redmine_ssl_auth.git
• Configure apache for SSL authentication (see Configuration)
• Visit https://YOURSITE/login and it will login automatically

== Notes

• This plugin expects the CN of the certificate to be an email address
• A user with that email address should exist in the database
• This doesn't check any password, so implement certificate verification in Apache
• You can visit /login?skip_ssl=1 to skip SSL authentication and do regular login

== Configuration

Nice tutorial: http://www.vanemery.com/Linux/Apache/apache-SSL.html

In my case, I find this to be the configuration I wanted

    SSLEngine on
    SSLProtocol all 
    SSLCipherSuite HIGH:MEDIUM

    SSLCertificateFile /etc/apache2/ssl/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl/server.key
    SSLCACertificateFile /etc/apache2/ssl/ca.crt

    SetEnvIf User-Agent ".*MSIE.*" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0

    SSLVerifyClient optional
    SSLVerifyDepth 1
    SSLOptions +StdEnvVars
    SSLOptions +FakeBasicAuth
    
    <Location /login/ssl>
      SSLVerifyClient require
    </Location>

    <Location />
       AuthName "eBox HQ"
       AuthType Basic
       AuthUserFile /etc/apache2/passwd/team
       #Require valid-user
    </Location>

By making SSLVerifyClient optional and commenting Require valid-user, it's possible to login without a certificate, using the regular login/password. A link is shown in the login form to require SSL authentication, see the Location /login/ssl section in the apache configuration.

If you want to force your users to use certificates, change SSLVerifyClient to require and uncomment Require valid-user

== Questions

To [email protected]

Please, don't ask about apache configuration. I don't know much more than it's already here. Email about the plugin (bugs, patches, suggestions, ...) is welcome :)