On Mon, Jan 16, 2017 at 09:26:10PM -0800, Russ Allbery wrote: > Is there any way that I or someone can help with the current issue with > enrolling on sso.debian.org? It looks like this was originally reported > in May of last year on this bug.
Sure. Although I'm bad at project managing myself[1], I'm very happy to help. > There are two problems: one is that if one goes to tracker.debian.org and > selects Login and then follows the bold link to sso.debian.org, that link > (https://sso.debian.org/spkac/enroll/) is 404. Ack. I refactored sso.debian.org when we got rid of DACS, and now there are two login pages, one for debian.org and one for alioth.debian.org, because sso.debian.org has now been setup with two views of the same functionalities each with a different apache authentication. That link should probably just be changed to https://sso.debian.org/ > If one goes directly to sso.debian.org, clicks on Debian account > certificates, and logs in, clicks on Get new certificate, and then > submits, it just produces "/usr/bin/openssl failed" as an error message at > the top of the page. That would be with chrome/chromium, I suppose? They disabled the certificate generation functionality by default: https://wiki.debian.org/DebianSingleSignOn#chromium_.2F_chrome I know of no way of doing certificate generation on recent chromes without explicitly enabling it as described on the wiki link above, and I read somewhere months ago[citation needed] that the chrome devs decided it's a feature that they intend to remove altogether. It'd be nice if they changed their mind or started suggesting alternatives. I started playing with the idea of a command line tool that would take care of browsers: https://github.com/spanezz/debsso-client and it looks like a promising avenue, in that it's possible to feed client certificates to chromium and firefox from the command line: https://lists.debian.org/debian-devel/2016/10/msg00131.html debsso-client could do SPKAC with sso.debian.org and inject the resulting certificate into the browsers key store: 1. openssl genrsa -out user.key 2048 openssl spkac -key user.key -challenge FvIu8NDJZxGmpKmA5pp3asMDZChXD4rc | cut -d= -f2- 2. Post it to https://sso.debian.org/debian/certs/enroll_manually or https://sso.debian.org/alioth/certs/enroll_manually authenticating with HTTP basic auth, together with the validity and comment fields that you see on the page 3. get the client certificate as the result of the POST 4. feed it into the browser key store > I'd be happy to try to help out with a fix if the problem is just that > you're swamped, although I'm not sure where all the pieces are and > probably don't have access, so it may require a bit of poking around. The code for sso.debian.org is at https://anonscm.debian.org/cgit/debian-sso/debian-sso.git/ and is deployed on diabelli.debian.org; would you like me to ask for you to have access to it? For the chrome enrollment issue specifically, can you get someone in silicon valley to describe a standard way to automatically negotiate a client certificate? More generally, you could join me/lead me writing and testing debssi-client or some other kind of command line tool for certificate negotiation. All the pieces are there, but I bail out at the idea of the responsibility of working and publishing and maintaining that kind of security sensitive code by myself. Enrico [1] http://www.enricozini.org/blog/2014/debian/on-responsibilities/ -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enr...@enricozini.org>
signature.asc
Description: PGP signature
