AKosygin
05-18-2007, 10:00 PM
Description:
This modification allows you to process authentication on your vBulletin based upon supplied Client SSL Authentication Certificates or SmartCard based certificates. All the user have to do is click on the "log in" button on the Username/Password box without entering anything and vBulletin will automatically login with the SmartCard or Client SSL Certificate credentials.
This mod is in its inception stages, and improvements and feedback are welcomed. Security checks are also much appreciated. This is at a proof of concept stage, and hopefully I will add the ability to change or detect the fields needed.
Features:
Allows the use of SmartCard login
Linked credentials checking with Client Authentication Certificates
Extra Requirements:
mod_ssl enabled Apache 1.3.29+1.53 or later. (Very important!)
.htaccess modifications (specified below)
httpd.conf OR virtual host level HTTP access.
PKI client certificates
A trusted certification authority (just a CA you trust)
NOTE: This modification does not work on installations using Microsoft IIS, yet. The parameter calls and the DN formatting is different from Apache.
TO DO:
Configurable options
Automatic configuration
SmartCard removal detection
IIS Support
Installation:
1.) You must have installed Apache with mod_ssl enabled. Please search the Apache.org pages or Google how to enable SSL.
2.) Once mod_ssl is enabled, you must now enable Apache to accept client certificates. You may want to consult this page while following the instructions written on this post: http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
3.) Go to either httpd.conf OR the Virtual Host line (EX:<VirtualHost 1.2.3.4:80> ) where vBulletin is installed and add the following line:
SSLCACertificateFile /filename/and/path/to/trusted/Issuing/Certificate/Authority/certificate.pem
EXTREMELY IMPORTANT: You must define specifically a Certificate Authority you trust to identify and certify each user, do not use the "optional_no_ca" option for SSLVerifyClient, as anyone can then make a certificate and impersonate the user. Apache MUST deny and ignore the certificate presented by the user if the certificate is issued from a CA that you do not trust!
WARNING: The setting presented here will NOT check for Certificate Revocation, meaning if a certificate is revoked, Apache will still happily accept the certificate as valid. If you wish to enable revocation checking, please add the SSLCARevocationPath directive after the SSLCACertificateFile directive.
4.) Then at the .htaccess file (or the whole at the Virtual Host if you want the whole site) add the following:
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth +StrictRequire +StdEnvVars
You may want to change the "SSLVerifyDepth" as needed depending on how far up the trusting CA is on the Certificate Chain.
5.) Create two new user profile fields one named "SmartCard Certificate DN" and another named "Enable SmartCard Authentication?"
For the "SmartCard Certificate DN", it is a "single-line text box" field with the following options:
Max length of allowed user input - 255
Field Length - 45
Field Required - No
Field Editable by User - Yes
Private Field - Yes
Field Searchable on Members List - No
Show on Members List - No
Then for the "Enable SmartCard Authentication?" it is a "Single Selection Radio Buttons" field type, with the following options:
Options - First line is "No" and second line is "Yes"
Set Default - Yes
Field Required - Yes, Always
Field Editable by User - yes
Private Field - Yes
Field Searchable on Members List - No
Show on Members List - No
Allow user to input their own value for this option - No
6.) After you have created those two profile fields, make note of "Name" of the field, whether it is "field5" or "field10" or whatever the field name is, you will need to modify the code.
7.) Install the product package.
8.) Go to the "Plugin Manager" and edit the plugin with the "SmartCard Login after Interactive Login Failure" in the title.
9.) Find this line:
$userArray = $vbulletin->db->query_first("SELECT `userid` FROM `" . TABLE_PREFIX . "userfield` WHERE `field5` = '" . $_SERVER["SSL_CLIENT_S_DN"] . "' AND `field6` = 'Yes'");
And change "field5" to the field used for "SmartCard Certificate DN" and "field6" to the field used for "Enable SmartCard Authentication?"
10.) Save the file and edit the appropriate user's profile with the appropriate Certificate Subject Distinguished Name information and login should work.
That's it.
I hope this mod is useful and suggestions welcomed.
This modification allows you to process authentication on your vBulletin based upon supplied Client SSL Authentication Certificates or SmartCard based certificates. All the user have to do is click on the "log in" button on the Username/Password box without entering anything and vBulletin will automatically login with the SmartCard or Client SSL Certificate credentials.
This mod is in its inception stages, and improvements and feedback are welcomed. Security checks are also much appreciated. This is at a proof of concept stage, and hopefully I will add the ability to change or detect the fields needed.
Features:
Allows the use of SmartCard login
Linked credentials checking with Client Authentication Certificates
Extra Requirements:
mod_ssl enabled Apache 1.3.29+1.53 or later. (Very important!)
.htaccess modifications (specified below)
httpd.conf OR virtual host level HTTP access.
PKI client certificates
A trusted certification authority (just a CA you trust)
NOTE: This modification does not work on installations using Microsoft IIS, yet. The parameter calls and the DN formatting is different from Apache.
TO DO:
Configurable options
Automatic configuration
SmartCard removal detection
IIS Support
Installation:
1.) You must have installed Apache with mod_ssl enabled. Please search the Apache.org pages or Google how to enable SSL.
2.) Once mod_ssl is enabled, you must now enable Apache to accept client certificates. You may want to consult this page while following the instructions written on this post: http://httpd.apache.org/docs/2.0/mod/mod_ssl.html
3.) Go to either httpd.conf OR the Virtual Host line (EX:<VirtualHost 1.2.3.4:80> ) where vBulletin is installed and add the following line:
SSLCACertificateFile /filename/and/path/to/trusted/Issuing/Certificate/Authority/certificate.pem
EXTREMELY IMPORTANT: You must define specifically a Certificate Authority you trust to identify and certify each user, do not use the "optional_no_ca" option for SSLVerifyClient, as anyone can then make a certificate and impersonate the user. Apache MUST deny and ignore the certificate presented by the user if the certificate is issued from a CA that you do not trust!
WARNING: The setting presented here will NOT check for Certificate Revocation, meaning if a certificate is revoked, Apache will still happily accept the certificate as valid. If you wish to enable revocation checking, please add the SSLCARevocationPath directive after the SSLCACertificateFile directive.
4.) Then at the .htaccess file (or the whole at the Virtual Host if you want the whole site) add the following:
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth +StrictRequire +StdEnvVars
You may want to change the "SSLVerifyDepth" as needed depending on how far up the trusting CA is on the Certificate Chain.
5.) Create two new user profile fields one named "SmartCard Certificate DN" and another named "Enable SmartCard Authentication?"
For the "SmartCard Certificate DN", it is a "single-line text box" field with the following options:
Max length of allowed user input - 255
Field Length - 45
Field Required - No
Field Editable by User - Yes
Private Field - Yes
Field Searchable on Members List - No
Show on Members List - No
Then for the "Enable SmartCard Authentication?" it is a "Single Selection Radio Buttons" field type, with the following options:
Options - First line is "No" and second line is "Yes"
Set Default - Yes
Field Required - Yes, Always
Field Editable by User - yes
Private Field - Yes
Field Searchable on Members List - No
Show on Members List - No
Allow user to input their own value for this option - No
6.) After you have created those two profile fields, make note of "Name" of the field, whether it is "field5" or "field10" or whatever the field name is, you will need to modify the code.
7.) Install the product package.
8.) Go to the "Plugin Manager" and edit the plugin with the "SmartCard Login after Interactive Login Failure" in the title.
9.) Find this line:
$userArray = $vbulletin->db->query_first("SELECT `userid` FROM `" . TABLE_PREFIX . "userfield` WHERE `field5` = '" . $_SERVER["SSL_CLIENT_S_DN"] . "' AND `field6` = 'Yes'");
And change "field5" to the field used for "SmartCard Certificate DN" and "field6" to the field used for "Enable SmartCard Authentication?"
10.) Save the file and edit the appropriate user's profile with the appropriate Certificate Subject Distinguished Name information and login should work.
That's it.
I hope this mod is useful and suggestions welcomed.