Integration with vBulletin - SSL Client Certificate / SmartCard Authentication

Description:

This modification allows you to process authentication on your vBulletin based upon supplied Client SSL Authentication Certificates or SmartCard based certificates. All the user have to do is click on the "log in" button on the Username/Password box without entering anything and vBulletin will automatically login with the SmartCard or Client SSL Certificate credentials.

This mod is in its inception stages, and improvements and feedback are welcomed. Security checks are also much appreciated. This is at a proof of concept stage, and hopefully I will add the ability to change or detect the fields needed.

Features:

• Allows the use of SmartCard login
• Linked credentials checking with Client Authentication Certificates

Extra Requirements:

• mod_ssl enabled Apache 1.3.29+1.53 or later. (Very important!)
• .htaccess modifications (specified below)
• httpd.conf OR virtual host level HTTP access.
• PKI client certificates
• A trusted certification authority (just a CA you trust)

NOTE: This modification does not work on installations using Microsoft IIS, yet. The parameter calls and the DN formatting is different from Apache.

TO DO:

• Configurable options
• Automatic configuration
• SmartCard removal detection
• IIS Support

Installation:

1.) You must have installed Apache with mod_ssl enabled. Please search the Apache.org pages or Google how to enable SSL.

2.) Once mod_ssl is enabled, you must now enable Apache to accept client certificates. You may want to consult this page while following the instructions written on this post: http://httpd.apache.org/docs/2.0/mod/mod_ssl.html

3.) Go to either httpd.conf OR the Virtual Host line (EX:<VirtualHost 1.2.3.4:80> ) where vBulletin is installed and add the following line:

Code:

SSLCACertificateFile /filename/and/path/to/trusted/Issuing/Certificate/Authority/certificate.pem

EXTREMELY IMPORTANT: You must define specifically a Certificate Authority you trust to identify and certify each user, do not use the "optional_no_ca" option for SSLVerifyClient, as anyone can then make a certificate and impersonate the user. Apache MUST deny and ignore the certificate presented by the user if the certificate is issued from a CA that you do not trust!

WARNING: The setting presented here will NOT check for Certificate Revocation, meaning if a certificate is revoked, Apache will still happily accept the certificate as valid. If you wish to enable revocation checking, please add the SSLCARevocationPath directive after the SSLCACertificateFile directive.

4.) Then at the .htaccess file (or the whole at the Virtual Host if you want the whole site) add the following:

Code:

SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth +StrictRequire +StdEnvVars

You may want to change the "SSLVerifyDepth" as needed depending on how far up the trusting CA is on the Certificate Chain.

5.) Create two new user profile fields one named "SmartCard Certificate DN" and another named "Enable SmartCard Authentication?"

For the "SmartCard Certificate DN", it is a "single-line text box" field with the following options:

• Max length of allowed user input - 255
• Field Length - 45
• Field Required - No
• Field Editable by User - Yes
• Private Field - Yes
• Field Searchable on Members List - No
• Show on Members List - No

Then for the "Enable SmartCard Authentication?" it is a "Single Selection Radio Buttons" field type, with the following options:

• Options - First line is "No" and second line is "Yes"
• Set Default - Yes
• Field Required - Yes, Always
• Field Editable by User - yes
• Private Field - Yes
• Field Searchable on Members List - No
• Show on Members List - No
• Allow user to input their own value for this option - No

6.) After you have created those two profile fields, make note of "Name" of the field, whether it is "field5" or "field10" or whatever the field name is, you will need to modify the code.

7.) Install the product package.

8.) Go to the "Plugin Manager" and edit the plugin with the "SmartCard Login after Interactive Login Failure" in the title.

9.) Find this line:

Code:

$userArray = $vbulletin->db->query_first("SELECT `userid` FROM `" . TABLE_PREFIX . "userfield` WHERE `field5` = '" . $_SERVER["SSL_CLIENT_S_DN"] . "' AND `field6` = 'Yes'");

And change "field5" to the field used for "SmartCard Certificate DN" and "field6" to the field used for "Enable SmartCard Authentication?"

10.) Save the file and edit the appropriate user's profile with the appropriate Certificate Subject Distinguished Name information and login should work.

That's it.

I hope this mod is useful and suggestions welcomed.

[rjmjr69]

Interesting I might give this a shot.

-RESERVED-

[maxicep]

reserved,
eyvallah.

[sross]

Seems interesting but I don't know much about the benefits of such a system. Is this a method to say, prevent trolls from abusing your forums? Is it not easy for someone to own several bogus smart card id's to use as they please? What does this do in real world examples? Are there problems with international users obtaining the smart card key? Where do they get it from, etc? Thanks!

[bela-meaad]

i`ll try it

thanks

[AKosygin]

Quote:

Originally Posted by sross

Seems interesting but I don't know much about the benefits of such a system. Is this a method to say, prevent trolls from abusing your forums? Is it not easy for someone to own several bogus smart card id's to use as they please? What does this do in real world examples? Are there problems with international users obtaining the smart card key? Where do they get it from, etc? Thanks!

There are two ways to use this modification:
1.) Require SmartCard (or Client SSL Certificates) IN ADDITION to Interactive (Password) login.
OR
2.) Allow SmartCard (or Client SSL Certificates) to REPLACE Interactive login.

Currently the modification is set to option 2, where you can use a SmartCard or Client SSL Certificates bound to your browser to login instead of entering a username and password.

As for several bogus smart card IDs, SmartCard relies on a Public Key Infrastructure, and the Certificate that certifies that the user that is saying who they are must be signed by a Certification Authority that you trust. So, if you setup the Apache mod_ssl correctly, Apache should refuse (or tell you of) any trust failures; meaning that if the Certificate Authority is not the one you trust that is certifying the client certificate, it will refuse it or tell you it failed to verify. Therefore it is important to setup mod_ssl correctly.

If the Certificate Authority that you trust is handing out certificates just to anyone that says that they are you without verifying this, then you probably need to find another CA that is more trustworthy.

This is especially useful in protecting the adminCP and modCP to rather paranoia levels, requireing two factor authentication if you use it IN ADDITION to the regular login. If you use it in addition to the regular login, the user must present the correct username and password AND the correct certificate. So what you know (username/password) and what you have (certificate/SmartCard).

I will be including the modifications for the "IN ADDITION" part a bit later, but it definitely needs clean-up. The mod definitely relies heavily on mod_ssl to work correctly, but that is the technical limitation.

As for international users, they could use it in the sense that they install the certificate to their browsers as an added security that the would be intruder would also need to steal that file also instead of just guessing at the username/password. But otherwise, you can easily get SmartCards and its accompanying reader from eBay. Older IBM SecureWay SmartCards are cheap, about $1 or so each (1024 bit keys), less security than more recent industry standards (2048 bit keys), but affordable. The readers range in price, from $9 to $50 each. But as I said, you can just install the certificate to the browser to create an extra layer or make login more simple when you are at home.

EDIT: You can use openssl with opensc (or just openssl), or Microsoft's Certification Authority function on Windows Server OSes, or you can use a real CA like Verisign. Just make sure that the certificate issued has "Client Authentication" it is Application Usage. In theory, you can set the trust to trust Verisign CA, then get an email certificate from Verisign and you can use that to login (or if you bound it to your SmartCard, use the SmartCard to login).

[Alfa1]

Does this work on vb 3.7?
Would it be possible to make this a usergroup dependent function? I would like to make this function available for sponsors only.

[AKosygin]

I have not made any modifications or follow up on this module since the last time it was updated. I do not see why not as it primarily relies on Apache's (or IIS) SmartCard/Certificate verification module to pass the data through PHP for vBulletin to use.

As it is, it is just a proof of concept and nothing more. There are no near future plans to further this module at this time.

[lm3a.net]

I'll try it ,

thanks bro