Skip to content

PluginCertificateAuth

Jump to bottom
Adam Ness edited this page Dec 2, 2016 · 3 revisions

The certificate-auth plugin

The certificate-auth plugin allows clients to authenticate themselves with client-side certificates. This allows to set different permissions for different users (ACLs).

The only required option is a list of CA certificates. Any client certificate issued by one of these CAs is accepted. The CA certificate list may include the certificate of the server itself, but it does not have to. In addition, a private key for one of the CA certificates can be provided. In this case, the infinoted server acts as a CA itself and allows clients to send certificate requests. The certificate request is usually granted by sending a signed certificate back to the client, and creating an account for the client. The certificate request is only rejected if the username is already taken by another user.

Note that even if the server acts as a CA as described above, its certificate does not need to be a CA certificate. The server still signs generated client cerificates with it. It is then up to the clients whether to trust such a certificate or not. Gobby trusts a client certificate which is not signed by a CA certificate obtained from a infinote server. The rationale behind this is that this client certificate is only used to identify with the server, and if the client does not trust the server anyway, then it would not store its data on it. Therefore, it also trusts every client certificate issued by the server. This allows servers to generate client certificates with their own certificate, and does not require them to create their own CA. However, it is also possible to set up a custom CA, which in some cases might be preferrable. There are plenty of articles on the web on how to do this, for example here.

The plugin also provides an option to create a short-lived superuser certificate with a corresponding account. The certificate can be used to set up initial permissions for other users. When the server is shut down, the super user account is removed and the certificate is of no user any longer. However, a new super user certificate can be created.

Gobby itself has limited support for client-side certificates. When a server asks for a client side certificate, Gobby shows the certificate that is set in the security tab of the preferences, which is also the one that Gobby shows when other clients connect to Gobby. It is therefore difficult to use Gobby which more than one different server requiring certificates. This limitation is planned to be lifted in a future Gobby version.

Plugin options

  • ca-list: Path to a file containing a list of CA certificates. Only clients showing a certificate signed by one of these CAs are accepted.
  • ca-key (opt): If given, must be the private key corresponding to one certificate in the CA list. The server can then accept certificate requests by clients to issue new certificates, allowing clients to create accounts on the server.
  • accept-unauthenticated-clients (opt): If set to false, clients showing an invalid or no certifificate are not allowed to connect. If set to true, such clients are allowed to connect, but only have default permissions. The default value is false.
  • super-user (opt): If given, should point to a filename where a short-lived superuser certificate is written to. Can only be given if the ca-key option is given as well. The created certificate is only valid until infinoted is shut down or for the next 12 hours, whichever is shorter. This certificate should only be used to set up initial permissions for other users, and then the server should be restarted with this option unset.

Example

[certificate-auth]
ca-list=/home/ck/infinoted/ca-list.pem
ca-key=/home/ck/infinoted/ca-key.pem
super-user=/home/ck/superuser.pem

Writes a superuser certificate to the file at /home/ck/superuser.pem. The written file contains both the private key and the certificate for the super user. The certificate can be loaded into Gobby in the security tab of the preferences dialog. When then connecting to the server, the user has full permissions and can create additional user accounts or change permissions for other users.

Other Plugins

Back to the list of infinoted plugins.

.

Clone this wiki locally