On Mon, Jan 16, 2017 at 09:26:10PM -0800, Russ Allbery wrote:
> Is there any way that I or someone can help with the current issue with
> enrolling on sso.debian.org? It looks like this was originally reported
> in May of last year on this bug.
Sure. Although I'm bad at project managing myself[1], I'm very happy to
help.
> There are two problems: one is that if one goes to tracker.debian.org and
> selects Login and then follows the bold link to sso.debian.org, that link
> (https://sso.debian.org/spkac/enroll/) is 404.
Ack. I refactored sso.debian.org when we got rid of DACS, and now there
are two login pages, one for debian.org and one for alioth.debian.org,
because sso.debian.org has now been setup with two views of the same
functionalities each with a different apache authentication.
That link should probably just be changed to https://sso.debian.org/
> If one goes directly to sso.debian.org, clicks on Debian account
> certificates, and logs in, clicks on Get new certificate, and then
> submits, it just produces "/usr/bin/openssl failed" as an error message at
> the top of the page.
That would be with chrome/chromium, I suppose? They disabled the
certificate generation functionality by default:
https://wiki.debian.org/DebianSingleSignOn#chromium_.2F_chrome
I know of no way of doing certificate generation on recent chromes
without explicitly enabling it as described on the wiki link above, and
I read somewhere months ago[citation needed] that the chrome devs
decided it's a feature that they intend to remove altogether. It'd be
nice if they changed their mind or started suggesting alternatives.
I started playing with the idea of a command line tool that would take
care of browsers: https://github.com/spanezz/debsso-client
and it looks like a promising avenue, in that it's possible to feed
client certificates to chromium and firefox from the command line:
https://lists.debian.org/debian-devel/2016/10/msg00131.html
debsso-client could do SPKAC with sso.debian.org and inject the
resulting certificate into the browsers key store:
1. openssl genrsa -out user.key 2048
openssl spkac -key user.key -challenge FvIu8NDJZxGmpKmA5pp3asMDZChXD4rc | cut -d= -f2-
2. Post it to https://sso.debian.org/debian/certs/enroll_manually or
https://sso.debian.org/alioth/certs/enroll_manually authenticating
with HTTP basic auth, together with the validity and comment fields
that you see on the page
3. get the client certificate as the result of the POST
4. feed it into the browser key store
> I'd be happy to try to help out with a fix if the problem is just that
> you're swamped, although I'm not sure where all the pieces are and
> probably don't have access, so it may require a bit of poking around.
The code for sso.debian.org is at
https://anonscm.debian.org/cgit/debian-sso/debian-sso.git/
and is deployed on diabelli.debian.org; would you like me to ask for you
to have access to it?
For the chrome enrollment issue specifically, can you get someone in
silicon valley to describe a standard way to automatically negotiate a
client certificate?
More generally, you could join me/lead me writing and testing
debssi-client or some other kind of command line tool for certificate
negotiation. All the pieces are there, but I bail out at the idea of the
responsibility of working and publishing and maintaining that kind of
security sensitive code by myself.
Enrico
[1] http://www.enricozini.org/blog/2014/debian/on-responsibilities/
--
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Attachment:
signature.asc
Description: PGP signature