Certificate login

Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here.
Forum rules
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
hannuko
Registered User
Posts: 6
Joined: Tue Jul 08, 2008 7:55 am

Certificate login

Post by hannuko » Tue Jul 08, 2008 8:06 am

If certificate login is added to phpbbs as a feature, that would allow users to login securely with one password to several phpbbs boards.

The basic idea is to have a x.509 certificate on your own pc. When you connect to the phpbbs (or any site allowing certificate login), the server can check if you actually have that certificate and can log you in. Password is asked by your www-browser and it is never sent over the line. If you use the same certificate to login to several sites, you only need ONE password for EVERY phpbbs site. And the phpbbs site does not need even to know your password.

Certificate also gives the site a confirmation that the user email address is correct.

Adding the certificate login is not even complicated, there is example code in cacert.org pages. cacert.org is an open community distributing free certificates. You can also test the certificate login on their site.

See more on http://www.cacert.org

Edit: instructions to add the certificate login:

php code is simple:

Code: Select all

        if($_SERVER['HTTP_HOST'] == "secure.cacert.org")
        {
                $query = "select * from `users` where `email`='$_SERVER[SSL_CLIENT_S_DN_Email]'";
                $res = mysql_query($query);
                if(mysql_num_rows($res) > 0)
                {
                        $_SESSION['profile']['loggedin'] = 1;
                        header("location: https://secure.cacert.org/account.php");
                        exit;
                }
        }
In addition you need to configure your apache to work with ssl. See more on
http://www.cacert.org/help.php?id=9

User avatar
Eelke
Registered User
Posts: 606
Joined: Thu Dec 20, 2001 8:00 am
Location: Bussum, NL
Contact:

Re: Certificate login

Post by Eelke » Wed Jul 09, 2008 6:33 am

I think this is a fine candidate to be published as a MOD, I don't believe demand for this is such that it warrants adding it to the core product. With a custom authentication module, this would be a very nice and clean MOD, no file edits required.

BTW, from the forum rules: "Don't post bug reports, feature requests, support questions or suggestions here."

User avatar
Highway of Life
Registered User
Posts: 1399
Joined: Tue Feb 08, 2005 10:18 pm
Location: I'd love to change the World, but they won't give me the Source Code
Contact:

Re: Certificate login

Post by Highway of Life » Thu Jul 10, 2008 6:09 am

phpBB 3 does have SSL support, BTW. :)
Image

User avatar
Eelke
Registered User
Posts: 606
Joined: Thu Dec 20, 2001 8:00 am
Location: Bussum, NL
Contact:

Re: Certificate login

Post by Eelke » Thu Jul 10, 2008 6:51 am

Does it also have certificate authentication, though? I'm not really in the clear whether that would work through the apache login module, for example.

User avatar
Techie-Micheal
Registered User
Posts: 566
Joined: Sun Oct 14, 2001 12:11 am

Re: Certificate login

Post by Techie-Micheal » Fri Jul 11, 2008 12:39 am

I thought about writing a MOD for this and after some looking around and discussing things with a few people, it was decided nobody wanted it. :P Wish I had now. I could charge you a gazillion bucks. ;) No, there is no support for x.509 in phpBB right now.

hannuko
Registered User
Posts: 6
Joined: Tue Jul 08, 2008 7:55 am

Re: Certificate login

Post by hannuko » Fri Jul 11, 2008 7:33 am

First, sorry for this:
Eelke wrote: BTW, from the forum rules: "Don't post bug reports, feature requests, support questions or suggestions here."
I just could not find any other place for feature requests.

I think this is a feature where most people doesn't see the benefits. But if you have once tried the certificate login for 2 sites you will. For example, I had to create a user for both area51 and phpbb discussion boards. To be safe, I HAVE to choose different passwords for both sites.

If i was using certificate login, I could use the same without worry.

The amount of different passwords is huge. I assume most people just use the same password for every site. That means many admins can use their user's identification for other sites.

hannuko
Registered User
Posts: 6
Joined: Tue Jul 08, 2008 7:55 am

Re: Certificate login

Post by hannuko » Fri Jul 11, 2008 8:56 am

Actually, I think the apache ssl module handles the most of the login procedure. You just have to add one www-address (for example secure.my.site.com) to your site and require client certificate for that site.
After that, users can see that new www-page only if they have valid certificate. WWW-browser and ssl module takes care of the certificate hm.. certification. You need PHP only to link the certificate email address to the user name.

hannuko
Registered User
Posts: 6
Joined: Tue Jul 08, 2008 7:55 am

Re: Certificate login

Post by hannuko » Sat Sep 06, 2008 11:53 am

I succeeded to modify the source to allow certificate login. You can test it in

http://valita.dy.fi/bbvalita/viewtopic. ... &t=41&p=50

Try it only if you really are interested. I only have a 600Mhz pentium running on the server. It has an old discussion forum in finnish (not very popular..), but I added one english topic which you can use. Just test it, please do not start any serious conversations there..

This is not a separate auth plugin, but instead an alternative method to log in when other authority plugins are in use. Ie. your page can have any authority and your users can use certificates as an alternative. Maybe this is not the best way to do it, something which should be discussed.

I have not tested all the cases, ie banned users etc. The security should also be carefully verified.

I'll post the code some day when I have finalized it.

hannuko
Registered User
Posts: 6
Joined: Tue Jul 08, 2008 7:55 am

Re: Certificate login

Post by hannuko » Sun Sep 07, 2008 1:44 pm

Actually, the code was surprisingly simple. I first implemented it in a complicated way before finding out the auth plugin system.

This is what is needed to do: add an autologin for the auth plugin (for exmaple includes/auth/auth_db.php) you want to use. Autologin code is very simple:

Code: Select all

function autologin_db()
{
        global $db, $config;
        if ($_SERVER[SSL_CLIENT_VERIFY] == "SUCCESS")
        {
                $sql = "SELECT * FROM " . USERS_TABLE . "
                  WHERE user_email = '" . $db->sql_escape($_SERVER[SSL_CLIENT_S_DN_Email]) . "'";
                $result = $db->sql_query($sql);
                $row = $db->sql_fetchrow($result);
                $db->sql_freeresult($result);
                if ($row)
                {
                        return $row;
                }
        }
        return array();
}

That's all code needed in phpBB3!! After that your users can autologin with certificate.
btw, there is one drawback (a bug in the original php code, i think): you cannot log out. Actually, you can, but you will be automatically log back in.

Of course you need to configure your site to also use secure https connection.

Actually I'm not sure if linking to the email address is good or bad idea; I assume you cannot get a CA signed certificate with an email address unless you actually have access to the email address, so this should be safe.
It could also be linked for example to certificate serial number, but then you should update the link every time your certificate times out.

The ultimate solution would be to generate a new certificate for every user, authorize it on the server and then link the certificate to the username. In this case you woudn't even need to have any kind of passwords on the discussion board. Hmm.. in fact, you would not even need a username, just a nickname. The system would be both a lot easier and a lot more secure to the user. The password user would use would be only local certificate store password.

note: if there is a better place for this discussion, please move this thread..
Last edited by hannuko on Sun Sep 07, 2008 5:35 pm, edited 1 time in total.

User avatar
paulus
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 361
Joined: Thu Sep 16, 2004 9:02 am
Contact:

Re: Certificate login

Post by paulus » Sun Sep 07, 2008 3:59 pm

Please make sure you escape all data from the $_SERVER var correctly to prevent sql injection. You need to call $db->sql_escape on the variable in the query.

Beside that, the query itself should be uppercase (Ofcourse with the correct case for the table names, so lower case) instead of the current lower case you use.
And keys in the array should be around single quotes, else it would be a constant, that doesnt exists, what will generate a notice :).
Image

Post Reply