Use Client Certificate for Authentication to Ownclound

ip6li · October 22, 2016, 10:39am

I am using Owncloud 9.1.1 with recommended Nginx configuration and php5-fpm on Debian 8 (latest patch level). I would like to set up user authentication with client certificates, provided by an external PKI. Nginx is configured to force client certificate and provides certificate data to php-fpm, phpinfo() displays certificate data if following config is added to nginx.conf:

        fastcgi_param SSL_CIPHER            $ssl_cipher;
        fastcgi_param SSL_PROTOCOL          $ssl_protocol;
        fastcgi_param SSL_CLIENT_VERIFY     $ssl_client_verify;
        fastcgi_param SSL_CLIENT_CERT       $ssl_client_cert;
        fastcgi_param SSL_CLIENT_FPRINT     $ssl_client_fingerprint;
        fastcgi_param SSL_CLIENT_SERIAL     $ssl_client_serial;
        fastcgi_param SSL_CLIENT_S_DN       $ssl_client_s_dn;
        fastcgi_param SSL_CLIENT_I_DN       $ssl_client_i_dn;

Are there any options for config.php to read user name from certificates DN (e.g. use CN) and ignore password?

If not, is there a plugin skeleton which can be used for authentication provider?

anon30676603 · October 22, 2016, 11:36am

Hi,

there is currently no support for client certificates in ownCloud:

github.com/owncloud/core

FEATURE REQUEST: Login using SSL Certificate

opened 11:49PM - 31 Jan 14 UTC

closed 08:04AM - 21 Sep 21 UTC

o---

enhancement status/STALE

Hi, I would like to request a new feature - the possibility to login without p…assword, in case a valid SSL Client certificate has been installed in browser. It should work as follows: 1.) Check whether enabled in Admin Menu and site is SSL 2.) Verify certificate validity (APACHE DOES IT FOR US) ``` php /** * Determines if the browser provided a valid SSL client certificate * * @return boolean True if the client cert is there and is valid */ public function hasValidCert() { if (!isset($_SERVER['SSL_CLIENT_M_SERIAL']) || !isset($_SERVER['SSL_CLIENT_V_END']) || !isset($_SERVER['SSL_CLIENT_VERIFY']) || $_SERVER['SSL_CLIENT_VERIFY'] !== 'SUCCESS' || !isset($_SERVER['SSL_CLIENT_I_DN']) ) { return false; } if ($_SERVER['SSL_CLIENT_V_REMAIN'] <= 0) { return false; } return true; } ``` 3.) If TRUE, take the user name from ``` php $_SERVER['SSL_CLIENT_S_DN_Email'] ``` and validate against user backend. 3a.) If it exists, log the user in. 3b.) if it does not, e(USERNAME_NOT_VALID) 4.) If FALSE display the standard login screen. 5.) If the user cancels the Certificate selection dialog, display the standard login screen.

Bircoff · March 20, 2017, 9:45am

Hello,
will support client certificates for ownCloud mobile app? (IOS / Android). Do you know the date of implementation?
Thanks

anon81984126 · March 20, 2017, 10:15am

Another great security feature the release includes is support for SSL client certificates that provide an additional layer of security by empowering admins to distribute certificates to users and restrict access thereby (in addition to usual passwords).

from https://owncloud.org/blog/new-desktop-client-2-3-0-release-out-now/