Register Members List Search Today's Posts Mark Forums Read

Reply
 
Mod Options
SSL Client Certificate / SmartCard Authentication Details »
SSL Client Certificate / SmartCard Authentication
Mod Version: 0.01, by AKosygin (Member) AKosygin is offline
Developer Last Online: Apr 2014 I like it Show Printable Version Email this Page

This modification is in the archives.
vB Version: 3.6.4 Rating: (1 vote - 3.00 average) Installs: 8
Released: 19 May 2007 Last Update: Never Downloads: 43
Not Supported DB Changes Uses Plugins Additional Files Re-usable Code Is in Beta Stage  

Description:

This modification allows you to process authentication on your vBulletin based upon supplied Client SSL Authentication Certificates or SmartCard based certificates. All the user have to do is click on the "log in" button on the Username/Password box without entering anything and vBulletin will automatically login with the SmartCard or Client SSL Certificate credentials.

This mod is in its inception stages, and improvements and feedback are welcomed. Security checks are also much appreciated. This is at a proof of concept stage, and hopefully I will add the ability to change or detect the fields needed.

Features:
  • Allows the use of SmartCard login
  • Linked credentials checking with Client Authentication Certificates

Extra Requirements:
  • mod_ssl enabled Apache 1.3.29+1.53 or later. (Very important!)
  • .htaccess modifications (specified below)
  • httpd.conf OR virtual host level HTTP access.
  • PKI client certificates
  • A trusted certification authority (just a CA you trust)

NOTE: This modification does not work on installations using Microsoft IIS, yet. The parameter calls and the DN formatting is different from Apache.

TO DO:
  • Configurable options
  • Automatic configuration
  • SmartCard removal detection
  • IIS Support

Installation:

1.) You must have installed Apache with mod_ssl enabled. Please search the Apache.org pages or Google how to enable SSL.

2.) Once mod_ssl is enabled, you must now enable Apache to accept client certificates. You may want to consult this page while following the instructions written on this post: http://httpd.apache.org/docs/2.0/mod/mod_ssl.html

3.) Go to either httpd.conf OR the Virtual Host line (EX:<VirtualHost 1.2.3.4:80> ) where vBulletin is installed and add the following line:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

EXTREMELY IMPORTANT: You must define specifically a Certificate Authority you trust to identify and certify each user, do not use the "optional_no_ca" option for SSLVerifyClient, as anyone can then make a certificate and impersonate the user. Apache MUST deny and ignore the certificate presented by the user if the certificate is issued from a CA that you do not trust!

WARNING: The setting presented here will NOT check for Certificate Revocation, meaning if a certificate is revoked, Apache will still happily accept the certificate as valid. If you wish to enable revocation checking, please add the SSLCARevocationPath directive after the SSLCACertificateFile directive.

4.) Then at the .htaccess file (or the whole at the Virtual Host if you want the whole site) add the following:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

You may want to change the "SSLVerifyDepth" as needed depending on how far up the trusting CA is on the Certificate Chain.

5.) Create two new user profile fields one named "SmartCard Certificate DN" and another named "Enable SmartCard Authentication?"

For the "SmartCard Certificate DN", it is a "single-line text box" field with the following options:
  • Max length of allowed user input - 255
  • Field Length - 45
  • Field Required - No
  • Field Editable by User - Yes
  • Private Field - Yes
  • Field Searchable on Members List - No
  • Show on Members List - No

Then for the "Enable SmartCard Authentication?" it is a "Single Selection Radio Buttons" field type, with the following options:
  • Options - First line is "No" and second line is "Yes"
  • Set Default - Yes
  • Field Required - Yes, Always
  • Field Editable by User - yes
  • Private Field - Yes
  • Field Searchable on Members List - No
  • Show on Members List - No
  • Allow user to input their own value for this option - No

6.) After you have created those two profile fields, make note of "Name" of the field, whether it is "field5" or "field10" or whatever the field name is, you will need to modify the code.

7.) Install the product package.

8.) Go to the "Plugin Manager" and edit the plugin with the "SmartCard Login after Interactive Login Failure" in the title.

9.) Find this line:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

And change "field5" to the field used for "SmartCard Certificate DN" and "field6" to the field used for "Enable SmartCard Authentication?"

10.) Save the file and edit the appropriate user's profile with the appropriate Certificate Subject Distinguished Name information and login should work.

That's it.

I hope this mod is useful and suggestions welcomed.

Download Now

Only licensed members can download files, Click Here for more information.

Show Your Support

  • To receive notifications regarding updates -> Click to Mark as Installed.
  • This modification may not be copied, reproduced or published elsewhere without author's permission.
Similar Mod
Mod Developer Type Replies Last Post
PM Security Certificate magnus vBulletin 3.6 Template Modifications 69 25 Jan 2016 13:14
Mini Mods PM security certificate (edited mod) Nickbe vBulletin 3.6 Template Modifications 26 07 Dec 2007 00:59

Comments
  #2  
Old 19 May 2007, 04:39
rjmjr69's Avatar
rjmjr69 rjmjr69 is offline
 
Join Date: Jan 2007
Interesting I might give this a shot.

-RESERVED-
Reply With Quote
  #3  
Old 19 May 2007, 11:41
maxicep maxicep is offline
 
Join Date: Oct 2006
reserved,
eyvallah.
Reply With Quote
  #4  
Old 19 May 2007, 12:30
sross sross is offline
 
Join Date: Mar 2004
Seems interesting but I don't know much about the benefits of such a system. Is this a method to say, prevent trolls from abusing your forums? Is it not easy for someone to own several bogus smart card id's to use as they please? What does this do in real world examples? Are there problems with international users obtaining the smart card key? Where do they get it from, etc? Thanks!
Reply With Quote
  #5  
Old 19 May 2007, 19:34
bela-meaad bela-meaad is offline
 
Join Date: Jan 2005
Real name: Abdul
i`ll try it

thanks
Reply With Quote
  #6  
Old 19 May 2007, 22:30
AKosygin's Avatar
AKosygin AKosygin is offline
 
Join Date: Oct 2003
Originally Posted by sross View Post
Seems interesting but I don't know much about the benefits of such a system. Is this a method to say, prevent trolls from abusing your forums? Is it not easy for someone to own several bogus smart card id's to use as they please? What does this do in real world examples? Are there problems with international users obtaining the smart card key? Where do they get it from, etc? Thanks!
There are two ways to use this modification:
1.) Require SmartCard (or Client SSL Certificates) IN ADDITION to Interactive (Password) login.
OR
2.) Allow SmartCard (or Client SSL Certificates) to REPLACE Interactive login.

Currently the modification is set to option 2, where you can use a SmartCard or Client SSL Certificates bound to your browser to login instead of entering a username and password.

As for several bogus smart card IDs, SmartCard relies on a Public Key Infrastructure, and the Certificate that certifies that the user that is saying who they are must be signed by a Certification Authority that you trust. So, if you setup the Apache mod_ssl correctly, Apache should refuse (or tell you of) any trust failures; meaning that if the Certificate Authority is not the one you trust that is certifying the client certificate, it will refuse it or tell you it failed to verify. Therefore it is important to setup mod_ssl correctly.

If the Certificate Authority that you trust is handing out certificates just to anyone that says that they are you without verifying this, then you probably need to find another CA that is more trustworthy.

This is especially useful in protecting the adminCP and modCP to rather paranoia levels, requireing two factor authentication if you use it IN ADDITION to the regular login. If you use it in addition to the regular login, the user must present the correct username and password AND the correct certificate. So what you know (username/password) and what you have (certificate/SmartCard).

I will be including the modifications for the "IN ADDITION" part a bit later, but it definitely needs clean-up. The mod definitely relies heavily on mod_ssl to work correctly, but that is the technical limitation.

As for international users, they could use it in the sense that they install the certificate to their browsers as an added security that the would be intruder would also need to steal that file also instead of just guessing at the username/password. But otherwise, you can easily get SmartCards and its accompanying reader from eBay. Older IBM SecureWay SmartCards are cheap, about $1 or so each (1024 bit keys), less security than more recent industry standards (2048 bit keys), but affordable. The readers range in price, from $9 to $50 each. But as I said, you can just install the certificate to the browser to create an extra layer or make login more simple when you are at home.

EDIT: You can use openssl with opensc (or just openssl), or Microsoft's Certification Authority function on Windows Server OSes, or you can use a real CA like Verisign. Just make sure that the certificate issued has "Client Authentication" it is Application Usage. In theory, you can set the trust to trust Verisign CA, then get an email certificate from Verisign and you can use that to login (or if you bound it to your SmartCard, use the SmartCard to login).

Last edited by AKosygin; 19 May 2007 at 22:43.
Reply With Quote
  #7  
Old 09 May 2008, 11:20
Alfa1's Avatar
Alfa1 Alfa1 is offline
 
Join Date: Dec 2005
Does this work on vb 3.7?
Would it be possible to make this a usergroup dependent function? I would like to make this function available for sponsors only.
Reply With Quote
  #8  
Old 06 May 2009, 09:45
AKosygin's Avatar
AKosygin AKosygin is offline
 
Join Date: Oct 2003
I have not made any modifications or follow up on this module since the last time it was updated. I do not see why not as it primarily relies on Apache's (or IIS) SmartCard/Certificate verification module to pass the data through PHP for vBulletin to use.

As it is, it is just a proof of concept and nothing more. There are no near future plans to further this module at this time.
Reply With Quote
  #9  
Old 20 May 2009, 10:26
lm3a.net's Avatar
lm3a.net lm3a.net is offline
 
Join Date: May 2009
I'll try it ,

thanks bro
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Mod Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 07:04.

Layout Options | Width: Wide Color: