Bug#823180: SSO certificates for tracker.debian.org broken

2017-05-27 Thread Russ Allbery 
Enrico Zini  writes:
> On Mon, Jan 16, 2017 at 09:26:10PM -0800, Russ Allbery wrote:

>> Is there any way that I or someone can help with the current issue with
>> enrolling on sso.debian.org?  It looks like this was originally
>> reported in May of last year on this bug.

> Sure. Although I'm bad at project managing myself[1], I'm very happy to
> help.

Well, this was also rather embarassing on my part.  I sent that message in
January in a burst of optimism and energy, coming off vacation, and then
promptly ran out of any time and never followed this up.

> Ack. I refactored sso.debian.org when we got rid of DACS, and now there
> are two login pages, one for debian.org and one for alioth.debian.org,
> because sso.debian.org has now been setup with two views of the same
> functionalities each with a different apache authentication.

> That link should probably just be changed to https://sso.debian.org/

I confirm this is now fixed.

>> If one goes directly to sso.debian.org, clicks on Debian account
>> certificates, and logs in, clicks on Get new certificate, and then
>> submits, it just produces "/usr/bin/openssl failed" as an error message
>> at the top of the page.

> That would be with chrome/chromium, I suppose? They disabled the
> certificate generation functionality by default:
> https://wiki.debian.org/DebianSingleSignOn#chromium_.2F_chrome

> I know of no way of doing certificate generation on recent chromes
> without explicitly enabling it as described on the wiki link above, and
> I read somewhere months ago[citation needed] that the chrome devs
> decided it's a feature that they intend to remove altogether. It'd be
> nice if they changed their mind or started suggesting alternatives.

Oh!  Yes, that's indeed the problem, and that makes sense.  I thought the
old error message (about openssl failure) indicated some server-side issue
rather than a client issue.  I see that the error message is now much
nicer (thank you!).

> I started playing with the idea of a command line tool that would take
> care of browsers: https://github.com/spanezz/debsso-client and it looks
> like a promising avenue, in that it's possible to feed client
> certificates to chromium and firefox from the command line:
> https://lists.debian.org/debian-devel/2016/10/msg00131.html

> debsso-client could do SPKAC with sso.debian.org and inject the
> resulting certificate into the browsers key store:

>  1. openssl genrsa -out user.key 2048
> openssl spkac -key user.key -challenge FvIu8NDJZxGmpKmA5pp3asMDZChXD4rc | 
> cut -d= -f2-
>  2. Post it to https://sso.debian.org/debian/certs/enroll_manually or
> https://sso.debian.org/alioth/certs/enroll_manually authenticating
> with HTTP basic auth, together with the validity and comment fields
> that you see on the page
>  3. get the client certificate as the result of the POST
>  4. feed it into the browser key store

I went through the equivalent of that process manually using the manual
certificate generation instructions, and it works great.  This seems like
the right approach to me as well.

I should probably take the five month delay in even responding to this
message as a sign that I have no business trying to dive into new
responsibilities and help out more with this at the moment.  :(  Apologies
for offering help and then going totally silent; my reach exceeded my
grasp.  But thank you *very* much for taking the time to describe the
problem and the proposed approach, and if I manage to pry free any time to
work on SSO stuff again, I will take a look at the code and also look at
the problem area and see if there's something better we can do.

(That said, I suspect that an external script to inject the certificate
into the browser is probably the best approach.  There are various
security worries about letting the browser generate certs directly, and
I'm not sure if the browser authors will be particularly excited about
supporting this functionality.  I think people in the industry have
largely given up on client-side browser certs in favor of U2F, although
that doesn't solve exactly the same problem.)

-- 
Russ Allbery (r...@debian.org)

Bug#823180: SSO certificates for tracker.debian.org broken

2017-01-17 Thread Enrico Zini 
On Mon, Jan 16, 2017 at 09:26:10PM -0800, Russ Allbery wrote:

> Is there any way that I or someone can help with the current issue with
> enrolling on sso.debian.org?  It looks like this was originally reported
> in May of last year on this bug.

Sure. Although I'm bad at project managing myself[1], I'm very happy to
help.


> There are two problems: one is that if one goes to tracker.debian.org and
> selects Login and then follows the bold link to sso.debian.org, that link
> (https://sso.debian.org/spkac/enroll/) is 404.

Ack. I refactored sso.debian.org when we got rid of DACS, and now there
are two login pages, one for debian.org and one for alioth.debian.org,
because sso.debian.org has now been setup with two views of the same
functionalities each with a different apache authentication.

That link should probably just be changed to https://sso.debian.org/


> If one goes directly to sso.debian.org, clicks on Debian account
> certificates, and logs in, clicks on Get new certificate, and then
> submits, it just produces "/usr/bin/openssl failed" as an error message at
> the top of the page.

That would be with chrome/chromium, I suppose? They disabled the
certificate generation functionality by default:
https://wiki.debian.org/DebianSingleSignOn#chromium_.2F_chrome

I know of no way of doing certificate generation on recent chromes
without explicitly enabling it as described on the wiki link above, and
I read somewhere months ago[citation needed] that the chrome devs
decided it's a feature that they intend to remove altogether. It'd be
nice if they changed their mind or started suggesting alternatives.

I started playing with the idea of a command line tool that would take
care of browsers: https://github.com/spanezz/debsso-client
and it looks like a promising avenue, in that it's possible to feed
client certificates to chromium and firefox from the command line:
https://lists.debian.org/debian-devel/2016/10/msg00131.html

debsso-client could do SPKAC with sso.debian.org and inject the
resulting certificate into the browsers key store:

 1. openssl genrsa -out user.key 2048
openssl spkac -key user.key -challenge FvIu8NDJZxGmpKmA5pp3asMDZChXD4rc | 
cut -d= -f2-
 2. Post it to https://sso.debian.org/debian/certs/enroll_manually or
https://sso.debian.org/alioth/certs/enroll_manually authenticating
with HTTP basic auth, together with the validity and comment fields
that you see on the page
 3. get the client certificate as the result of the POST
 4. feed it into the browser key store


> I'd be happy to try to help out with a fix if the problem is just that
> you're swamped, although I'm not sure where all the pieces are and
> probably don't have access, so it may require a bit of poking around.

The code for sso.debian.org is at
https://anonscm.debian.org/cgit/debian-sso/debian-sso.git/
and is deployed on diabelli.debian.org; would you like me to ask for you
to have access to it?

For the chrome enrollment issue specifically, can you get someone in
silicon valley to describe a standard way to automatically negotiate a
client certificate?

More generally, you could join me/lead me writing and testing
debssi-client or some other kind of command line tool for certificate
negotiation. All the pieces are there, but I bail out at the idea of the
responsibility of working and publishing and maintaining that kind of
security sensitive code by myself.


Enrico

[1] http://www.enricozini.org/blog/2014/debian/on-responsibilities/
-- 
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini 


signature.asc
Description: PGP signature

Bug#823180: SSO certificates for tracker.debian.org broken

2017-01-16 Thread Russ Allbery 
Hi Enrico,

Is there any way that I or someone can help with the current issue with
enrolling on sso.debian.org?  It looks like this was originally reported
in May of last year on this bug.

There are two problems: one is that if one goes to tracker.debian.org and
selects Login and then follows the bold link to sso.debian.org, that link
(https://sso.debian.org/spkac/enroll/) is 404.

If one goes directly to sso.debian.org, clicks on Debian account
certificates, and logs in, clicks on Get new certificate, and then
submits, it just produces "/usr/bin/openssl failed" as an error message at
the top of the page.

I'd be happy to try to help out with a fix if the problem is just that
you're swamped, although I'm not sure where all the pieces are and
probably don't have access, so it may require a bit of poking around.

-- 
Russ Allbery (r...@debian.org)