CentOS 6.4: NSS, MD5 Certificates, and Authentication Problems: UPDATE

In tinkering with setting up a kickstart script to get a basic workstation installed just like I want I decided to revisit the authentication issue related to certificates with an MD5 signature. Thankfully there is a workaround to enable MD5 support in the nss package that worked for me. Simply add ‘export NSS_HASH_ALG_SUPPORT=+MD5’ to /etc/sysconfig/init and reboot. Thanks go to @NewLifeMark and this blog posting.

Advertisements

Setting up Git on Apache+SSL+LDAP

I used the following post as a way to get things started.

Setup your repos. Adding the EPEL repo to CentOS will knock out some base packages, so as a rule, its good to setup priorities, but thats not part of this howto and can be found here. Anyways install git.

I decided to place the repository within /var/www/html simply because its my preference, but it could go anywhere.

mkdir -d /var/www/html/git/project

cd /var/www/html/git/project

git —bare init

Then I set the permissions so the webserver has ownership:

chown -R apache:apache /var/www/html/git

Then run update-server-info:

sudo -u apache git update-server-info

Next is to configure apache. Remember to have your SSL certs prepared before hand. Also each distro is different in how it lays out the apache configuration, especially in regards to extra modules like SSL and WebDAV. Consult your documentation.

First I make sure I have the modules I need set to load, such as SSL, WebDAV, and ldap(authz). I want all traffic to be encrypted so I set it to route all http requests to https:

<VirtualHost *:80>
        ServerAdmin cbiadmin@utsa.edu
        ServerName darwin2.cbi.utsa.edu
        Redirect permanent / https://darwin2.cbi.utsa.edu/
</VirtualHost>

Also I’m using LDAP with TLS so Apache needs to know the CA cert:

LDAPTrustedGlobalCert CA_BASE64 /path/to/cacert.pem

On a side note, its good to protect your webserver by hiding the version numbers via:

Servertokens ProductOnly
ServerSignature Off

Then I setup ssl, which for my system, its in /etc/httpd/conf/extra/httpd-ssl.conf I then setup the following virtual host:

<VirtualHost _default_:443>

ServerName www.example.com:443
ServerAdmin admin@example.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:!LOW:!MEDIUM:!MD5:DH:!EXPORT:!aNULL:!3DES
SSLCertificateFile /path/to/server-cert.pem
SSLCertificateKeyFile /path/to/server-key.pem
SSLCACertificateFile /path/to/cacert.pem
<Directory /var/www/html/git/>
        DAV On
        Options ExecCGI FollowSymLinks Indexes
        Deny from all
        AuthType Basic
        AuthName “Git Repository”
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative on
        AuthLDAPURL “ldap://ldap.example.com:389/ou=people,dc=example,dc=com?uid” TLS
        AuthLDAPBindDN cn=binduser,ou=DSA,dc=example,dc=com
        AuthLDAPBindPassword password
        AuthLDAPGroupAttribute memberUid
        AuthLDAPGroupAttributeIsDN off
        Require valid-user
</Directory>

<Directory /var/www/html/git/project>
        Allow from all
        Order allow,deny
        <Limit GET>
                Require ldap-group cn=groupname,ou=group,dc=example,dc=com
        </Limit>
        <Limit GET PUT POST DELETE PROPATCH MKCOL COPY MOVE LOCK UNLOCK>
                Require ldap-group cn=groupname,ou=group,dc=example,dc=com
        </Limit>
</Directory>
</VirtualHost>

Here authentication is handled by Apache against LDAP, which in our case is very nice as all our user information is in LDAP. Next on the client side you’ll have to set the username and password and the certificates.

To set the username/password for git to use, create a file in your top level home directory called .netrc and add the following:

machine example.com

login username

password password

Then to setup the certificates, download the CA cert and place somewhere, like ~/.certs. Then it must be in the x509 format, this can be down via the following:

openssl x509 -in cacert.pem -out cacert.crt

Then tell git to use this via:

git config —global http.sslcapath .certs/

git config —global http.sslcainfo .certs/cacert.crt

Now you should have a working git repository password protected and encrypted in transit.