Wishlist: add a variable %{x509} expanding to the client cert in Dovecot-auth
Guilhem Moulin
guilhem at fripost.org
Mon Jun 23 21:03:02 UTC 2014
Hi there,
As of Dovecot 2.2.9, it's possible to enable passwordless authentication
using client certificates [1]:
ssl_ca = </etc/ssl/ca.pem
ssl_verify_client_cert = yes
auth_ssl_username_from_cert = yes
(Password checking can be bypassed by returning the extra fields
‘password= nopassword’ in the passdb when the variable ‘%k’ expands to
"valid".)
However this requires the server admin to set up a PKI. Having
a variable %{x509} expanding to the X.509 client cert in Dovecot-auth
would remove such hassle and instead provide a way to manage authorized
clients in the fashion of OpenSSH's ‘authorized_keys’.
Postfix has a similar configuration option: relay_clientcerts [2].
There, the keys for the lookup table can be either client cert
fingerprints or public key fingerprints (the digest algorithm can be
configured with smtpd_tls_fingerprint_digest). I can't see why %{x509}
should digest the certificate and not merely PEM-encode it, but having
another %{pubkey} variable expanding to the (PEM-encoded) cert's
SubjectPublicKeyInfo block would surely be useful :-)
I wonder if there are other folks interested in having the client cert
available in the passdb.
Thanks,
cheers,
--
Guilhem.
[1] http://wiki2.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2BAC8-authentication
[2] http://www.postfix.org/postconf.5.html#relay_clientcerts
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140623/021befa6/attachment.sig>
More information about the dovecot
mailing list