Return-Path: <user-return-30440-archive-asf-public=cust-asf.ponee.io@couchdb.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 442C8200BC3
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Fri, 18 Nov 2016 14:44:56 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 42ABB160B04; Fri, 18 Nov 2016 13:44:56 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 8AD54160AFE
	for <archive-asf-public@cust-asf.ponee.io>; Fri, 18 Nov 2016 14:44:55 +0100 (CET)
Received: (qmail 52519 invoked by uid 500); 18 Nov 2016 13:44:54 -0000
Mailing-List: contact user-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@couchdb.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@couchdb.apache.org>
List-Post: <mailto:user@couchdb.apache.org>
List-Id: <user.couchdb.apache.org>
Reply-To: user@couchdb.apache.org
Delivered-To: mailing list user@couchdb.apache.org
Received: (qmail 52502 invoked by uid 99); 18 Nov 2016 13:44:53 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 18 Nov 2016 13:44:53 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 6D9881A0723
	for <user@couchdb.apache.org>; Fri, 18 Nov 2016 13:44:53 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.879
X-Spam-Level: *
X-Spam-Status: No, score=1.879 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01,
	RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd2-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id badmIsAXngAL for <user@couchdb.apache.org>;
	Fri, 18 Nov 2016 13:44:48 +0000 (UTC)
Received: from mail-qk0-f178.google.com (mail-qk0-f178.google.com [209.85.220.178])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id A87165F3F4
	for <user@couchdb.apache.org>; Fri, 18 Nov 2016 13:44:47 +0000 (UTC)
Received: by mail-qk0-f178.google.com with SMTP id n21so262990758qka.3
        for <user@couchdb.apache.org>; Fri, 18 Nov 2016 05:44:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=hLfJcNlXWUkdwD8j2Dk+ebZpa4N2rxId7s2YdalxYcY=;
        b=xf5qgz6ytGjlafumAkEver8aPytHKyQHpVEUt65bgKJRRrZbMr4yuHItLss3G2Tvmd
         UnaHGXo0F5abiyhOP7e26cpAJrRaeSwCl/9O9wLD65R8hWEje6hHuZmibSWNtNJjWr7G
         V8VyJe6sWaklhSlVODnr6O9m1edxi4GbCzyXZBEDbRMw7qECGHV18xsFf35kNmvJrE1g
         iWEtPcBAaMPMsh9EkmKgkqsnB1i1svyqEPIHR7xxMAsKJJ5h6ebYCIfDS/4pvSa5EMtv
         xPR74UHT3oFS/UeV2HzQnvd3Qp8vZg+E/+rZ6Zpe7midlXvCW0Lup8ki0lFNKegQINfo
         1dyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=hLfJcNlXWUkdwD8j2Dk+ebZpa4N2rxId7s2YdalxYcY=;
        b=dHVvo+hKJpU8poFHNfjLRMFJkZePeWTaiwo/EbjJBs+lT1Ie+7mfjSmVf1hid5Buv3
         tiiqhmbxmjHE36Qws+0KGghMxqig4ot2PNS1dH4NyLAoBkPCAMc3H1aYf3y/RwVTgDYC
         XhCYYAyoR1dsqWKaSO7AcRiDSgALsr1Bc0r+q+w3PhP+6YTVsI8A8F0Ovouxvq3qZaYc
         oKG8r262m/NHZANqh5yd2zkcOR0GksMRtsx23kVXg4qHUKx45mN8H4hZ0NQ8riGLcImr
         K0+fJS19aV/PjVlbfYqbDDrzL08BK7lVu8TaQOIkqVx8IzZCofRXo/lkC/1su4yw1D70
         KMqQ==
X-Gm-Message-State: AKaTC01naPClh+5WaAppAk9PSJu3t5tyS6d0CNXLMxfHWpDdfM97K8X0tL7Xf8qT2aT2bELZ6gusz/dafZ4sBA==
X-Received: by 10.55.51.77 with SMTP id z74mr11601375qkz.201.1479476686559;
 Fri, 18 Nov 2016 05:44:46 -0800 (PST)
MIME-Version: 1.0
References: <CALqrWKKSy6AQD9xAaiuHhXVWG-qcU2ApNxtoWqjR7YMfVtOHwg@mail.gmail.com>
 <2E292BA4-05AF-496C-B356-27929289FAFC@apache.org>
In-Reply-To: <2E292BA4-05AF-496C-B356-27929289FAFC@apache.org>
From: Timothy McKernan <timbitsandbytes@gmail.com>
Date: Fri, 18 Nov 2016 13:44:36 +0000
Message-ID: <CALqrWKLLisiJJW9As2eqSSzYj1VsDKRxt=5SJNjocxUSFpLBqA@mail.gmail.com>
Subject: Re: Two-way SSL authentication?
To: user@couchdb.apache.org
Content-Type: multipart/alternative; boundary=001a114901165b2055054193822a
archived-at: Fri, 18 Nov 2016 13:44:56 -0000

--001a114901165b2055054193822a
Content-Type: text/plain; charset=UTF-8

On Thu, Nov 17, 2016 at 4:36 PM Robert Samuel Newson <rnewson@apache.org>
wrote:

> Hi Tim,
>
> Authentication handlers are pluggable once again, and that feature will
> appear in our next release (tentatively designated 2.1.0).
>

Great, I thought I'd read that recently but couldn't put my finger on the
post.


> We'd definitely merge a patch that added an authentication handler where
> the DN was used to look up a user in the normal CouchDB _users database.
>

This seems doable, at least as a starter project for me to try. The rest -
eh, I wanted to see if there is any interest in it. Chaining multiple
handlers would introduce a lot of complexity in this one area, but having
this kind of integrated authentication adds a lot of security to the app,
for people that require it.

Thanks for the reply. I'll take a look at the pluggable authentication
handlers.

-Tim


> when we bring LDAP in, things get trickier. I'm sure we'd take a patch to
> add an LDAP authentication handler, but there's no precedent for handlers
> co-operating with other handlers (LDAP plus client cert). If you're
> prepared to do the work, I'm sure this could be figured out, I'm just
> saying the authentication system doesn't already support the notion, and we
> wouldn't want to make this part of couchdb much fiddlier.
>
> B.
>
> > On 17 Nov 2016, at 14:36, Timothy McKernan <timbitsandbytes@gmail.com>
> wrote:
> >
> > Has there been any interest in adding support for two-way SSL
> > authentication? More specifically, I'm looking for a way to:
> >
> >   - Verify a client's cert is valid,
> >      - Check the cert's Certificate Authority(s) against a local store,
> >      - Query a remote service to verify the cert hasn't been revoked
> >      (CRL's),
> >   - Use the client's Distinguished Name to query a remote service (LDAP
> >   would be fine) to verify the user is authorized to connect,
> >   - Use the client's Distinguished Name to authenticate the user in
> >   CouchDb, returning the user ctx.
> >
> > I've looked at how to add an auth handler in 2.0.0 and read some older
> > posts about it. It looks like at least src/chttpd/src/chttpd_auth.erl and
> > src/couch/src/couch_httpd_auth.erl need to be edited to use any new
> > handlers, is that right?
> >
> > I think my questions come down to:
> >
> >   - Is there going to be support for two-way SSL auth?
> >   - If not, is the authentication handler code going to be updated to
> >   allow new handlers to be plugged in (having the handlers implement a
> known
> >   interface) rather than hand-edit the above code?
> >   - I my requirements also suggest allowing a chain of handlers to be
> >   called, so that the details of CouchDb auth vs. CRL verification vs.
> LDAP
> >   can all be called one after the other, only going to the next handler
> if
> >   the previous handler succeeded.
> >
> > Right now I'm just trying to understand the scope of what's required to
> add
> > this, especially if it seems I'd be the one doing it.
> >
> > -Tim
>
>

--001a114901165b2055054193822a--