From ca2123429ef4be250cde796cee5c8a8cec1aca42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebasti=C3=A1n=20Arcila=20Valenzuela?= Date: Thu, 12 Sep 2019 00:50:17 +0000 Subject: Backport of ee/15773: Allow SmartCard authentication to use SAN extensions --- config/gitlab.yml.example | 4 +++ doc/administration/auth/smartcard.md | 69 ++++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 87159b695f9..92674aafa90 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -718,6 +718,10 @@ production: &base # Browser session with smartcard sign-in is required for Git access # required_for_git_access: false + # Use X.509 SAN extensions certificates to identify GitLab users + # Add a subjectAltName to your certificates like: email:user + # san_extensions: true + ## Kerberos settings kerberos: # Allow the HTTP Negotiate authentication method for Git clients diff --git a/doc/administration/auth/smartcard.md b/doc/administration/auth/smartcard.md index 4f236d1afb8..920a2f0b399 100644 --- a/doc/administration/auth/smartcard.md +++ b/doc/administration/auth/smartcard.md @@ -39,6 +39,45 @@ Certificate: Subject: CN=Gitlab User, emailAddress=gitlab-user@example.com ``` +### Authentication against a local database with X.509 certificates and SAN extensions **(PREMIUM ONLY)** + +> [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/8605) in [GitLab Premium](https://about.gitlab.com/pricing/) 12.3. + +Smartcards with X.509 certificates using SAN extensions can be used to authenticate +with GitLab. + +NOTE: **Note:** +This is an experimental feature. Smartcard authentication against local databases may +change or be removed completely in future releases. + +To use a smartcard with an X.509 certificate to authenticate against a local +database with GitLab, at least one of the `subjectAltName` (SAN) extensions +need to define the user identity (`email`) within the GitLab instance (`URI`). + +`URI`: needs to match `Gitlab.config.host.gitlab`. + +For example: + +```text +Certificate: + Data: + Version: 1 (0x0) + Serial Number: 12856475246677808609 (0xb26b601ecdd555e1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=Random Corp Ltd, CN=Random Corp + Validity + Not Before: Oct 30 12:00:00 2018 GMT + Not After : Oct 30 12:00:00 2019 GMT + ... + X509v3 extensions: + X509v3 Key Usage: + Key Encipherment, Data Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication + X509v3 Subject Alternative Name: + email:gitlab-user@example.com, URI:http://gitlab.example.com/ +``` + ### Authentication against an LDAP server > [Introduced](https://gitlab.com/gitlab-org/gitlab-ee/issues/7693) in @@ -152,6 +191,36 @@ attribute. As a prerequisite, you must use an LDAP server that: 1. Save the file and [restart](../restart_gitlab.md#installations-from-source) GitLab for the changes to take effect. +### Additional steps when using SAN extensions + +**For Omnibus installations** + +1. Add to `/etc/gitlab/gitlab.rb`: + + ```ruby + gitlab_rails['smartcard_san_extensions'] = true + ``` + +1. Save the file and [reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure) + GitLab for the changes to take effect. + +**For installations from source** + +1. Add the `san_extensions` line to config/gitlab.yml` within the smartcard section: + + ```yaml + smartcard: + enabled: true + ca_file: '/etc/ssl/certs/CA.pem' + client_certificate_required_port: 3444 + + # Enable the use of SAN extensions to match users with certificates + san_extensions: true + ``` + +1. Save the file and [restart](../restart_gitlab.md#installations-from-source) + GitLab for the changes to take effect. + ### Additional steps when authenticating against an LDAP server **For Omnibus installations** -- cgit v1.2.1