CINXE.COM

DebianSingleSignOn - Debian Wiki

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="X-UA-Compatible" content="IE=Edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="shortcut icon" href="/htdocs/favicon.ico"> <script type="text/javascript" src="/htdocs/bugstatus.js"></script> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> <meta name="robots" content="index,nofollow"> <title>DebianSingleSignOn - Debian Wiki</title> <script type="text/javascript" src="/htdocs/common/js/common.js"></script> <script type="text/javascript"> <!-- var search_hint = "Search"; //--> </script> <link rel="stylesheet" type="text/css" charset="utf-8" media="all" href="/htdocs/debwiki/css/common.css"> <link rel="stylesheet" type="text/css" charset="utf-8" media="screen" href="/htdocs/debwiki/css/screen.css"> <link rel="stylesheet" type="text/css" charset="utf-8" media="print" href="/htdocs/debwiki/css/print.css"> <link rel="stylesheet" type="text/css" charset="utf-8" media="projection" href="/htdocs/debwiki/css/projection.css"> <link rel="stylesheet" type="text/css" charset="utf-8" media="all" href="/htdocs/debian-wiki-1.0.css"> <!-- css only for MS IE6/IE7 browsers --> <!--[if lt IE 8]> <link rel="stylesheet" type="text/css" charset="utf-8" media="all" href="/htdocs/debwiki/css/msie.css"> <![endif]--> <link rel="alternate" title="Debian Wiki: DebianSingleSignOn" href="/DebianSingleSignOn?diffs=1&amp;show_att=1&amp;action=rss_rc&amp;unique=0&amp;page=DebianSingleSignOn&amp;ddiffs=1" type="application/rss+xml"> <link rel="Start" href="/FrontPage"> <link rel="Alternate" title="Wiki Markup" href="/DebianSingleSignOn?action=raw"> <link rel="Alternate" media="print" title="Print View" href="/DebianSingleSignOn?action=print"> <link rel="Search" href="/FindPage"> <link rel="Index" href="/TitleIndex"> <link rel="Glossary" href="/WordIndex"> <link rel="Help" href="/HelpOnFormatting"> </head> <body lang="en" dir="ltr"> <div id="logo"><a href="https://www.debian.org" title="Debian Homepage"><img src="https://www.debian.org/Pics/openlogo-50.png" alt="Debian" width="50" height="61"></a></div> <div id="header"> <div id="wikisection"> <p class="section"><a href="/FrontPage" title="Debian Wiki Homepage">Wiki</a></p> <div id="username"><a href="/DebianSingleSignOn?action=login" id="login" rel="nofollow">Login</a></div> </div> <div id="navbar"> <ul id="navibar"> <li class="wikilink"><a href="/FrontPage">FrontPage</a></li><li class="wikilink"><a href="/RecentChanges">RecentChanges</a></li><li class="wikilink"><a href="/FindPage">FindPage</a></li><li class="wikilink"><a href="/HelpContents">HelpContents</a></li><li class="current"><a href="/DebianSingleSignOn">DebianSingleSignOn</a></li> </ul> </div> <form id="searchform" method="get" action="/DebianSingleSignOn"> <div> <input type="hidden" name="action" value="fullsearch"> <input type="hidden" name="context" value="180"> <label for="searchinput">Search:</label> <input id="searchinput" type="text" name="value" value="" size="20" onfocus="searchFocus(this)" onblur="searchBlur(this)" onkeyup="searchChange(this)" onchange="searchChange(this)" alt="Search"> <input id="titlesearch" name="titlesearch" type="submit" value="Titles" alt="Search Titles"> <input id="fullsearch" name="fullsearch" type="submit" value="Text" alt="Search Full Text"> </div> </form> <script type="text/javascript"> <!--// Initialize search form var f = document.getElementById('searchform'); f.getElementsByTagName('label')[0].style.display = 'none'; var e = document.getElementById('searchinput'); searchChange(e); searchBlur(e); //--> </script> <div id="logo"><a href="https://www.debian.org" title="Debian Homepage"><img src="https://www.debian.org/Pics/openlogo-50.png" alt="Debian" width="50" height="61"></a></div> <div id="breadcrumbs"><a href="/FrontPage" title="Debian Wiki Homepage">Wiki</a><span class="sep">/</span> </div> <ul class="editbar"><li><a href="/DebianSingleSignOn?action=login" id="login-1" rel="nofollow">Login</a></li><li class="toggleCommentsButton" style="display:none;"><a href="#" class="nbcomment" onClick="toggleComments();return false;">Comments</a></li><li><a class="nbinfo" href="/DebianSingleSignOn?action=info" rel="nofollow">Info</a></li><li><a class="nbattachments" href="/DebianSingleSignOn?action=AttachFile" rel="nofollow">Attachments</a></li><li> <form class="actionsmenu" method="GET" action="/DebianSingleSignOn"> <div> <label>More Actions:</label> <select name="action" onchange="if ((this.selectedIndex != 0) && (this.options[this.selectedIndex].disabled == false)) { this.form.submit(); } this.selectedIndex = 0;"> <option value="raw">Raw Text</option> <option value="print">Print View</option> <option value="RenderAsDocbook">Render as Docbook</option> <option value="refresh">Delete Cache</option> <option value="show" disabled class="disabled">------------------------</option> <option value="SpellCheck">Check Spelling</option> <option value="LikePages">Like Pages</option> <option value="LocalSiteMap">Local Site Map</option> <option value="show" disabled class="disabled">------------------------</option> <option value="RenamePage" disabled class="disabled">Rename Page</option> <option value="DeletePage" disabled class="disabled">Delete Page</option> <option value="show" disabled class="disabled">------------------------</option> <option value="show" disabled class="disabled">Subscribe User</option> <option value="show" disabled class="disabled">------------------------</option> <option value="show" disabled class="disabled">Remove Spam</option> <option value="show" disabled class="disabled">Revert to this revision</option> <option value="PackagePages">Package Pages</option> <option value="show" disabled class="disabled">------------------------</option> <option value="Load">Load</option> <option value="Save">Save</option> <option value="SlideShow">SlideShow</option> </select> <input type="submit" value="Do"> </div> <script type="text/javascript"> <!--// Init menu actionsMenuInit('More Actions:'); //--> </script> </form> </li></ul> <h1 id="locationline"> <ul id="pagelocation"> <li><a href="/DebianSingleSignOn">DebianSingleSignOn</a></li> </ul> </h1> </div> <div id="page" lang="en" dir="ltr"> <div dir="ltr" id="content" lang="en"><span class="anchor" id="top"></span> <span class="anchor" id="line-1"></span><span class="anchor" id="line-2"></span><span class="anchor" id="line-3"></span><p class="line867"><span class="anchor" id="line-4"></span><span class="anchor" id="line-5"></span><span class="anchor" id="line-6"></span><span class="anchor" id="line-7"></span><div class="caution"><span class="anchor" id="line-1-1"></span><p class="line874">The Debian SSO service is deprecated. <span class="anchor" id="line-2-1"></span><span class="anchor" id="line-3-1"></span><p class="line862">If you are a service admin please look into using <a href="/Salsa/SSO">Salsa for this purpose</a>. </div><span class="anchor" id="line-8"></span><span class="anchor" id="line-9"></span><p class="line867"><div class="table-of-contents"><p class="table-of-contents-heading">Contents<ol><li> <a href="#Debian_SSO_documentation">Debian SSO documentation</a><ol><li> <a href="#If_you_ARE_a_Debian_Developer">If you ARE a Debian Developer</a></li><li> <a href="#If_you_ARE_NOT_.28yet.29_a_Debian_Developer">If you ARE NOT (yet) a Debian Developer</a></li><li> <a href="#Browser_support">Browser support</a><ol><li> <a href="#firefox">firefox</a></li><li> <a href="#chromium_.2F_chrome">chromium / chrome</a></li><li> <a href="#curl">curl</a></li><li> <a href="#elinks">elinks</a></li><li> <a href="#links2">links2</a></li><li> <a href="#lynx">lynx</a></li><li> <a href="#wget">wget</a></li><li> <a href="#konqueror.2C_rekonq">konqueror, rekonq</a></li><li> <a href="#xombrero">xombrero</a></li><li> <a href="#Tor_Browser">Tor Browser</a></li><li> <a href="#Netsurf">Netsurf</a></li><li> <a href="#Internet_Explorer">Internet Explorer</a></li><li> <a href="#Use_with_a_Yubikey_in_PIV_mode">Use with a Yubikey in PIV mode</a></li><li> <a href="#iOS_Safari">iOS Safari</a></li></ol></li><li> <a href="#Documentation_for_Users">Documentation for Users</a><ol><li> <a href="#Getting_a_certificate">Getting a certificate</a></li><li> <a href="#Using_certificates">Using certificates</a></li><li> <a href="#Creating_certificates_manually">Creating certificates manually</a></li><li> <a href="#SSO-enabled_sites">SSO-enabled sites</a></li></ol></li></ol></li><li> <a href="#Sustainability">Sustainability</a><ol><li> <a href="#Providing_feedback">Providing feedback</a></li><li> <a href="#People_behind_this_service">People behind this service</a></li></ol></li></ol></div> <span class="anchor" id="line-10"></span><span class="anchor" id="line-11"></span><p class="line867"> <h1 id="Debian_SSO_documentation">Debian SSO documentation</h1> <span class="anchor" id="line-12"></span><span class="anchor" id="line-13"></span><p class="line862">Debian has a <strong>S</strong>ingle <strong>S</strong>ign-<strong>O</strong>n system for authenticating on web services at <a class="https" href="https://sso.debian.org/">https://sso.debian.org/</a> , based on Client Certificates. Those certificates can usually be looked up in the browser (e.g. firefox) settings via the menu. In contrast, this very wiki itself cannot handle SSO. <span class="anchor" id="line-14"></span><span class="anchor" id="line-15"></span><p class="line874">The certificates are separate from the OpenPGP e-mail key which Debian members need to have. The SSO certs are web only, while the OpenPGP key is being used to, for example, sign &quot;advocate&quot; statements for new members. <span class="anchor" id="line-16"></span><span class="anchor" id="line-17"></span><p class="line874">How to obtain a certificate to use Debian SSO: <span class="anchor" id="line-18"></span><span class="anchor" id="line-19"></span><p class="line867"> <h2 id="If_you_ARE_a_Debian_Developer">If you ARE a Debian Developer</h2> <span class="anchor" id="line-20"></span><span class="anchor" id="line-21"></span><ol type="1"><li><p class="line862">Set your SSO password via <a class="https" href="https://db.debian.org/">https://db.debian.org/</a> <span class="anchor" id="line-22"></span></li><li>Wait a few minutes for propagation, <span class="anchor" id="line-23"></span></li><li><p class="line862">Use the Debian icon on the left hand side at <a class="https" href="https://sso.debian.org/">https://sso.debian.org/</a> <span class="anchor" id="line-24"></span><span class="anchor" id="line-25"></span></li></ol><p class="line874">Be careful, the login here is not your full mail debian.org, but only the part before the @. <span class="anchor" id="line-26"></span><span class="anchor" id="line-27"></span><p class="line867"> <h2 id="If_you_ARE_NOT_.28yet.29_a_Debian_Developer">If you ARE NOT (yet) a Debian Developer</h2> <span class="anchor" id="line-28"></span><span class="anchor" id="line-29"></span><p class="line874">No new accounts will be created. <span class="anchor" id="line-30"></span>Please use <a href="/Salsa">Salsa</a>. <span class="anchor" id="line-31"></span><span class="anchor" id="line-32"></span><p class="line867"><hr /><p class="line874"> <span class="anchor" id="line-33"></span> <h2 id="Browser_support">Browser support</h2> <span class="anchor" id="line-34"></span><span class="anchor" id="line-35"></span><p class="line874">This collects the current status and tips for browsers/http client support for sso.debian.org and client certificates. <span class="anchor" id="line-36"></span><span class="anchor" id="line-37"></span><p class="line874">Please help keeping it up to date by adding your own experience, and tips. <span class="anchor" id="line-38"></span><span class="anchor" id="line-39"></span><p class="line867"> <h3 id="firefox">firefox</h3> <span class="anchor" id="line-40"></span><span class="anchor" id="line-41"></span><p class="line874">On Firefox 75.x (successfully tested also in Firefox 91.5.0esr (Debian buster, 2022/01/17) <span class="anchor" id="line-42"></span><span class="anchor" id="line-43"></span><ul><li><p class="line862">Go to <tt class="backtick">about:config</tt> and set <tt class="backtick">security.tls.enable_post_handshake_auth</tt> to <tt class="backtick">true</tt>. <span class="anchor" id="line-44"></span></li><li><p class="line862">Generate a certificate <a href="/DebianSingleSignOn#Creating_certificates_manually">manually</a>, then: <span class="anchor" id="line-45"></span></li><li><p class="line862">Navigate to: about:preferences =&gt; Privacy &amp; Security =&gt; Certificates =&gt; View Certificates =&gt; Your Certificates =&gt; Import (and load the certificate) <span class="anchor" id="line-46"></span><span class="anchor" id="line-47"></span></li></ul><p class="line862">With Firefox &gt;= 69 only the <a href="/DebianSingleSignOn#Creating_certificates_manually">manual process</a> works (because support for &lt;keygen&gt; was dropped.) <span class="anchor" id="line-48"></span><span class="anchor" id="line-49"></span><p class="line862">With Firefox 63 (TODO: check exact affected release range) due to both Apache, OpenSSL and Firefox updates, it is necessary to go to <tt class="backtick">about:config</tt> and set <tt class="backtick">security.tls.enable_post_handshake_auth</tt> to <tt class="backtick">true</tt>. It's unclear why this isn't enabled by default, but see the upstream <a class="https" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1511989">bug report</a>. <span class="anchor" id="line-50"></span><span class="anchor" id="line-51"></span><p class="line862">After generating a new certificate, either restart the browser or remove active logins (History → Clear Recent History... → &quot;Active Logins&quot; and click &quot;Clear Now&quot;) and then try again. You may need to remove the association between the key and the site (see below in <em>Troubleshooting</em>). <span class="anchor" id="line-52"></span><span class="anchor" id="line-53"></span><ul><li><p class="line862">Firefox Quantum (&gt;= 58 of 2018): Works, but the workflow is still tricky, rest assured, it can be made to work on Quantum. <span class="anchor" id="line-54"></span><span class="anchor" id="line-55"></span><span class="anchor" id="line-56"></span></li></ul><p class="line874">Automatic certificate generation works, certificate selection works. <span class="anchor" id="line-57"></span>Firefox restart is needed after certificate generation. <span class="anchor" id="line-58"></span><span class="anchor" id="line-59"></span><p class="line862">If you created a certificate using the process defined on this page: <a class="https" href="https://sso.debian.org/debian/certs/enroll_csr/">https://sso.debian.org/debian/certs/enroll_csr/</a>, please make sure you imported the generated certificate in Firefox (about:preferences =&gt; certificates =&gt; import). <span class="anchor" id="line-60"></span><span class="anchor" id="line-61"></span><p class="line874">Troubleshooting: If you are sure that your SSO browser certificate is working and still valid but the SSO enabled Debian site is not triggering Firefox's &quot;User Identification Request&quot; dialog box, then it may be that you have visited that same site before and told Firefox back then not to use the SSO certificate for login. Firefox remembers this; it will also remember expired keys that you used in the past and won't even open the site. <span class="anchor" id="line-62"></span><ul><li>Try again with a private browser session; SSO login should work again, verifying that the key is correctly imported into the browser. <span class="anchor" id="line-63"></span></li><li>History → &quot;Clear Recent History&quot; (namely, &quot;Active Logins&quot;) of your webbrowser. <span class="anchor" id="line-64"></span></li><li><p class="line862">Remove the association of the cert with the site: about:preferences → Privacy &amp; Security → Certificates → View Certificates → Authentication Decisions (and delete the incorrect associations) <span class="anchor" id="line-65"></span></li><li>Another solution is closing and restarting all Firefox tabs/windows of the current desktop session. <span class="anchor" id="line-66"></span><span class="anchor" id="line-67"></span></li></ul><p class="line874">Each or all of the above might be needed. <span class="anchor" id="line-68"></span><span class="anchor" id="line-69"></span><p class="line867"> <h3 id="chromium_.2F_chrome">chromium / chrome</h3> <span class="anchor" id="line-70"></span><span class="anchor" id="line-71"></span><ul><li>Tested with: Chromium 44. <span class="anchor" id="line-72"></span><span class="anchor" id="line-73"></span></li></ul><p class="line874">Automatic certificate generation works, certificate selection works. <span class="anchor" id="line-74"></span><span class="anchor" id="line-75"></span><p class="line874">If you want to access a site multiple times using a different certificate or no certificates, you can use an Incognito window. <span class="anchor" id="line-76"></span><span class="anchor" id="line-77"></span><ul><li>Chromium 49-56 needs Key Generation permission <span class="anchor" id="line-78"></span><span class="anchor" id="line-79"></span></li></ul><p class="line874">Starting from Chromium version 49, websites need to be whitelisted in order to use the Key Generation feature. Just visit Debian SSO, then click on the HTTPS padlock and allow the feature on this website. <span class="anchor" id="line-80"></span><span class="anchor" id="line-81"></span><p class="line874">Once generated, your client certificate will be downloaded but not automatically imported. Clicking on the received file will open chromium certificate manager to import it. <span class="anchor" id="line-82"></span><span class="anchor" id="line-83"></span><ul><li><p class="line862">Chromium 57+ removed Key Generation support, only the <a href="/DebianSingleSignOn#Creating_certificates_manually">manual approach, below</a>, will work. <span class="anchor" id="line-84"></span><span class="anchor" id="line-85"></span></li></ul><p class="line874">Alternatively, generate a certificate manually, then: <span class="anchor" id="line-86"></span><span class="anchor" id="line-87"></span><span class="anchor" id="line-88"></span><pre><span class="anchor" id="line-1"></span>openssl pkcs12 -export -out name.p12 -inkey name.key -in name.crt -nodes</pre><span class="anchor" id="line-89"></span><p class="line862">and import <tt>name.p12</tt> from the certificate dialog at <tt>chrome://settings/certificates</tt> or from the command line with: <span class="anchor" id="line-90"></span><span class="anchor" id="line-91"></span><span class="anchor" id="line-92"></span><pre><span class="anchor" id="line-1-1"></span>pk12util -i name.p12 -d sql:$HOME/.pki/nssdb </pre><span class="anchor" id="line-93"></span><span class="anchor" id="line-94"></span><p class="line867"> <h3 id="curl">curl</h3> <span class="anchor" id="line-95"></span><span class="anchor" id="line-96"></span><p class="line862">You can <a href="/DebianSingleSignOn#Creating_certificates_manually">use local certificates</a> <span class="anchor" id="line-97"></span><span class="anchor" id="line-98"></span><p class="line867"><span class="anchor" id="line-99"></span><span class="anchor" id="line-100"></span><pre><span class="anchor" id="line-1-2"></span> curl --key $USER.key --cert $USER.crt https://sso.debian.org/ca/test/env</pre><span class="anchor" id="line-101"></span><span class="anchor" id="line-102"></span><p class="line867"> <h3 id="elinks">elinks</h3> <span class="anchor" id="line-103"></span><span class="anchor" id="line-104"></span><p class="line862">From version <tt class="backtick">0.13~20190125-1</tt>, you can use local certificates generated by <a href="/DebianSingleSignOn#Creating_certificates_manually">enrolling manually</a> <span class="anchor" id="line-105"></span><span class="anchor" id="line-106"></span><p class="line874">Concatenate the certificate and key into a single file first: <span class="anchor" id="line-107"></span><span class="anchor" id="line-108"></span><span class="anchor" id="line-109"></span><pre><span class="anchor" id="line-1-3"></span> cat $USER.crt $USER.key &gt; client_cert.pem</pre><span class="anchor" id="line-110"></span><span class="anchor" id="line-111"></span><p class="line874">configure elinks to use client certificates (usually in ~/.elinks/elinks.conf): <span class="anchor" id="line-112"></span><span class="anchor" id="line-113"></span><p class="line867"><span class="anchor" id="line-114"></span><span class="anchor" id="line-115"></span><span class="anchor" id="line-116"></span><pre><span class="anchor" id="line-1-4"></span> set connection.ssl.client_cert.enable = 1 <span class="anchor" id="line-2"></span> set connection.ssl.client_cert.file = &quot;client_cert.pem&quot;</pre><span class="anchor" id="line-117"></span><span class="anchor" id="line-118"></span><p class="line867"> <h3 id="links2">links2</h3> <span class="anchor" id="line-119"></span><span class="anchor" id="line-120"></span><p class="line862">From version <tt class="backtick">2.10-2</tt> (see <a class="interwiki" href="https://bugs.debian.org/797066" title="DebianBug">797066</a>) you can use local certificates generated by <a href="/DebianSingleSignOn#Creating_certificates_manually">enrolling manually</a> <span class="anchor" id="line-121"></span><span class="anchor" id="line-122"></span><p class="line867"><span class="anchor" id="line-123"></span><span class="anchor" id="line-124"></span><pre><span class="anchor" id="line-1-5"></span> links2 -http.client_cert_key $USER.key -http.client_cert_crt $USER.crt https://sso.debian.org/ca/test/env</pre><span class="anchor" id="line-125"></span><span class="anchor" id="line-126"></span><p class="line862">From version <tt class="backtick">2.11.1-1</tt> on, you can configure local client certificates also permanently via Setup → Network options → SSL options. From this version on, also encrypted keys for client certificates are supported. <span class="anchor" id="line-127"></span><span class="anchor" id="line-128"></span><p class="line867"> <h3 id="lynx">lynx</h3> <span class="anchor" id="line-129"></span><span class="anchor" id="line-130"></span><p class="line862">From version <tt class="backtick">2.8.9dev6-4</tt> (see <a class="interwiki" href="https://bugs.debian.org/797901" title="DebianBug">797901</a>) you can use local certificates generated by <a href="/DebianSingleSignOn#Creating_certificates_manually">enrolling manually</a>: <span class="anchor" id="line-131"></span><span class="anchor" id="line-132"></span><ul><li><p class="line862">Set the configuration options <tt class="backtick">SSL_CLIENT_CERT_FILE</tt> and <tt class="backtick">SSL_CLIENT_KEY_FILE</tt> in <tt class="backtick">/etc/lynx-cur/lynx.cfg</tt> <span class="anchor" id="line-133"></span></li><li><p class="line862">Set the environment variables <tt class="backtick">SSL_CLIENT_CERT_FILE</tt> and <tt class="backtick">SSL_CLIENT_KEY_FILE</tt> to their appropriate values <span class="anchor" id="line-134"></span></li><li><p class="line862">use the build in Options Menu in Lynx (Key <tt class="backtick">O</tt>, entries SSL client certificate/key) <span class="anchor" id="line-135"></span><span class="anchor" id="line-136"></span></li></ul><p class="line867"> <h3 id="wget">wget</h3> <span class="anchor" id="line-137"></span><span class="anchor" id="line-138"></span><p class="line862">From version <tt class="backtick">1.17-1</tt> (see <a class="interwiki" href="https://bugs.debian.org/797057" title="DebianBug">797057</a>) you can use local certificates generated by <a href="/DebianSingleSignOn#Creating_certificates_manually">enrolling manually</a>. <span class="anchor" id="line-139"></span><span class="anchor" id="line-140"></span><p class="line867"><span class="anchor" id="line-141"></span><span class="anchor" id="line-142"></span><pre><span class="anchor" id="line-1-6"></span> wget --certificate=$USER.crt --private-key=$USER.key https://sso.debian.org/ca/test/env</pre><span class="anchor" id="line-143"></span><span class="anchor" id="line-144"></span><p class="line867"> <h3 id="konqueror.2C_rekonq">konqueror, rekonq</h3> <span class="anchor" id="line-145"></span><span class="anchor" id="line-146"></span><p class="line874">Client certificate support needs to be implemented. <span class="anchor" id="line-147"></span><span class="anchor" id="line-148"></span><p class="line867"> <h3 id="xombrero">xombrero</h3> <span class="anchor" id="line-149"></span><span class="anchor" id="line-150"></span><p class="line862">Cannot currently be used even for manual certificate generation because it lacks basic support for <a class="https" href="https://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly">httponly cookies</a>, see <a class="interwiki" href="https://bugs.debian.org/797171" title="DebianBug">797171</a>. <span class="anchor" id="line-151"></span><span class="anchor" id="line-152"></span><p class="line874">Note that this browser is currently orphaned in Debian. <span class="anchor" id="line-153"></span><span class="anchor" id="line-154"></span><p class="line867"> <h3 id="Tor_Browser">Tor Browser</h3> <span class="anchor" id="line-155"></span><span class="anchor" id="line-156"></span><p class="line874">As of Tor Browser 5.0.2, enrolling and using the certificate works as long as &quot;Don't record browsing history or website data&quot; is unchecked in the &quot;Privacy and security settings&quot;. Not checked yet if it's indeed preserved across browser restarts, though. <span class="anchor" id="line-157"></span><span class="anchor" id="line-158"></span><p class="line867"> <h3 id="Netsurf">Netsurf</h3> <span class="anchor" id="line-159"></span><span class="anchor" id="line-160"></span><p class="line862">netsurf does not currently support client certificate authentication, but <a class="interwiki" href="https://bugs.debian.org/797747" title="DebianBug">797747</a> has a patch to make it load and use certificate files provided via environment variables. <span class="anchor" id="line-161"></span><span class="anchor" id="line-162"></span><p class="line867"> <h3 id="Internet_Explorer">Internet Explorer</h3> <span class="anchor" id="line-163"></span><span class="anchor" id="line-164"></span><p class="line874">Not supported. <span class="anchor" id="line-165"></span><span class="anchor" id="line-166"></span><span class="anchor" id="line-167"></span><p class="line867"> <h3 id="Use_with_a_Yubikey_in_PIV_mode">Use with a Yubikey in PIV mode</h3> <span class="anchor" id="line-168"></span><span class="anchor" id="line-169"></span><p class="line874">First, install and configure the base system for use with your Yubikey. Please be sure you've got one that works with the PIV applet. A NEO or NEO-N should work. After that's working, install the needed Yubikey and OpenSC software <span class="anchor" id="line-170"></span><span class="anchor" id="line-171"></span><p class="line867"><span class="anchor" id="line-172"></span><span class="anchor" id="line-173"></span><pre><span class="anchor" id="line-1-7"></span>sudo apt install yubico-piv-tool opensc-pkcs11 opensc</pre><span class="anchor" id="line-174"></span><span class="anchor" id="line-175"></span><p class="line862">Next, export your Certificate into PKCS#12 format. This can be found in Iceweasel under Preferences, Advanced, Certificates, View Certificates, click on your <tt>@debian.org</tt> certificate, and click Backup. <span class="anchor" id="line-176"></span><span class="anchor" id="line-177"></span><p class="line874">Now, lets configure your PIV card. Lets first set the PIN and PUK code. If you've not done this before, the default PIN is 123456, and PUK is 12345678. <span class="anchor" id="line-178"></span><span class="anchor" id="line-179"></span><p class="line867"><span class="anchor" id="line-180"></span><span class="anchor" id="line-181"></span><span class="anchor" id="line-182"></span><pre><span class="anchor" id="line-1-8"></span>yubico-piv-tool -a change-pin -P 123456 -N ${PIN_HERE} <span class="anchor" id="line-2-1"></span>yubico-piv-tool -a change-puk -P 12345678 -N ${PUK_HERE}</pre><span class="anchor" id="line-183"></span><span class="anchor" id="line-184"></span><p class="line874">Finally, let's load the Cert <span class="anchor" id="line-185"></span><span class="anchor" id="line-186"></span><p class="line867"><span class="anchor" id="line-187"></span><span class="anchor" id="line-188"></span><pre><span class="anchor" id="line-1-9"></span>yubico-piv-tool -s 9a -i DebianSSOKey.p12 -K PKCS12 -a set-chuid -a import-key -a import-cert</pre><span class="anchor" id="line-189"></span><span class="anchor" id="line-190"></span><p class="line862">Verify it's working by going to Preferences, Advanced, Certificates, Security Devices. There should be one under OpenSC with a Description of Yubikey NEO-N. If you don't see this, you might have to tell Firefox about the PKCS#11 <tt>.so</tt> -- click on &quot;Load&quot; under the Security Devices menu, and add <tt>/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so</tt> into the browser. The interface should surface. <span class="anchor" id="line-191"></span><span class="anchor" id="line-192"></span><p class="line867"> <h3 id="iOS_Safari">iOS Safari</h3> <span class="anchor" id="line-193"></span><span class="anchor" id="line-194"></span><p class="line874">Safari does not support generating client certificates, and as user don't have command line access to iOS (unless you jailbreak), you need a computer that can manually generate a certificate. <span class="anchor" id="line-195"></span><span class="anchor" id="line-196"></span><p class="line874">After generating certificate via manual approach, you need to pack them into PKCS#12 format, note that iOS requires PKCS#12 certificate to have a password, so do NOT leave the password empty. <span class="anchor" id="line-197"></span><span class="anchor" id="line-198"></span><p class="line867"><span class="anchor" id="line-199"></span><span class="anchor" id="line-200"></span><pre><span class="anchor" id="line-1-10"></span>openssl pkcs12 -export -out name.p12 -inkey name.key -in name.crt</pre><span class="anchor" id="line-201"></span><span class="anchor" id="line-202"></span><p class="line862">On iOS, download the certificate via http server (one of the common servers is <tt class="backtick">python3&nbsp;-m&nbsp;http.server</tt>), open the certificate, then go to Settings -&gt; General -&gt; Profiles, and find the certificate to install. <span class="anchor" id="line-203"></span><span class="anchor" id="line-204"></span><p class="line867"> <h2 id="Documentation_for_Users">Documentation for Users</h2> <span class="anchor" id="line-205"></span><span class="anchor" id="line-206"></span><p class="line862">If you have a Debian member's account (i.e. LDAP), you can log into sso.debian.org using your Debian Web Password; otherwise, you can log in using your Alioth account credentials. The <a class="https" href="https://sso.debian.org/">SSO front page</a> will let you choose the appropriate option. <span class="anchor" id="line-207"></span><span class="anchor" id="line-208"></span><p class="line874">Once you are logged in , you will see a list of certificates you have already generated, and can create new ones or revoke existing ones. <span class="anchor" id="line-209"></span><span class="anchor" id="line-210"></span><p class="line867"> <h3 id="Getting_a_certificate">Getting a certificate</h3> <span class="anchor" id="line-211"></span><span class="anchor" id="line-212"></span><p class="line862">Check <a class="https" href="https://wiki.debian.org/DebianSingleSignOn#Browser_support">above</a> if your browser is supported. <span class="anchor" id="line-213"></span><span class="anchor" id="line-214"></span><p class="line862">Click on <a class="https" href="https://sso.debian.org/">SSO main page</a> and select the appropriate login method (Debian or Alioth) account to <a class="https" href="https://en.wikipedia.org/wiki/SPKAC">create a new certificate</a> and save it in your browser. You can choose the certificate validity, and optionally add a comment to easily identify the certificate in the certificate list; everything else happens automatically. <span class="anchor" id="line-215"></span><span class="anchor" id="line-216"></span><p class="line874">For privacy, the comment is not stored in the certificates, so it can only be seen by sso.debian.org. <span class="anchor" id="line-217"></span><span class="anchor" id="line-218"></span><p class="line874">You can have as many certificates as you want, with arbitrary durations. Do not worry about certificate expiration, because getting a new certificate just requires two clicks. For example, if you are going on holidays, you are leaving your computer at home and you have some trust in your tablet, you can enroll your tablet with a certificate that expires at the end of your holidays. Feel free to experiment. <span class="anchor" id="line-219"></span><span class="anchor" id="line-220"></span><p class="line862">You can also <a href="/DebianSingleSignOn#Creating_certificates_manually">create a new certificate manually</a>. <span class="anchor" id="line-221"></span><span class="anchor" id="line-222"></span><p class="line867"> <h3 id="Using_certificates">Using certificates</h3> <span class="anchor" id="line-223"></span><span class="anchor" id="line-224"></span><p class="line862">You can use <a class="https" href="https://sso.debian.org/ca/test/env">this test page</a> to try your certificates. The browser will ask for confirmation before using it, and if you have more than one it will ask you to choose which one you want to use. <span class="anchor" id="line-225"></span><span class="anchor" id="line-226"></span><p class="line867"> <h3 id="Creating_certificates_manually">Creating certificates manually</h3> <span class="anchor" id="line-227"></span><span class="anchor" id="line-228"></span><p class="line862">You can also visit <a class="https" href="https://sso.debian.org/">SSO site</a> to enroll manually (link &quot;getting a certificate manually&quot; at the bottom of the certificate generation page) and obtain a certificate pair on local files that you can then use with curl, links or any other HTTPS client software that supports client certificates. Once you have logged into the site choose the &quot;Get new certificate&quot; option and then choose &quot;getting a certificate manually&quot;, which will walk you through generating a key and the appropriate signed challenge for the site to authenticate you. <span class="anchor" id="line-229"></span><span class="anchor" id="line-230"></span><p class="line874">Some browser will need a PKCS12 file to import the locally generated certificates: <span class="anchor" id="line-231"></span><span class="anchor" id="line-232"></span><p class="line867"><span class="anchor" id="line-233"></span><span class="anchor" id="line-234"></span><pre><span class="anchor" id="line-1-11"></span>openssl pkcs12 -export -out certificate.pfx -inkey your_private_key.key -in certificate_you_downloaded_from_sso.crt</pre><span class="anchor" id="line-235"></span><span class="anchor" id="line-236"></span><p class="line867"> <h3 id="SSO-enabled_sites">SSO-enabled sites</h3> <span class="anchor" id="line-237"></span><span class="anchor" id="line-238"></span><p class="line874">This is a (possibly incomplete) list of sites that only work with sso.debian.org certificates: <span class="anchor" id="line-239"></span><span class="anchor" id="line-240"></span><ul><li><p class="line891"><a class="https" href="https://tracker.debian.org">https://tracker.debian.org</a> <span class="anchor" id="line-241"></span></li><li><p class="line891"><a class="https" href="https://paste.debian.net">https://paste.debian.net</a> <span class="anchor" id="line-242"></span></li><li><p class="line891"><a class="https" href="https://debtags.debian.org/">https://debtags.debian.org/</a> <span class="anchor" id="line-243"></span><span class="anchor" id="line-244"></span></li></ul><p class="line867"> <h1 id="Sustainability">Sustainability</h1> <span class="anchor" id="line-245"></span><span class="anchor" id="line-246"></span><p class="line874">Information for the long run. <span class="anchor" id="line-247"></span><span class="anchor" id="line-248"></span><p class="line874">This chapter is work in progress a.k.a. not yet reviewed by those who can really tell. <span class="anchor" id="line-249"></span><span class="anchor" id="line-250"></span><p class="line867"> <h2 id="Providing_feedback">Providing feedback</h2> <span class="anchor" id="line-251"></span><span class="anchor" id="line-252"></span><p class="line862">Use <a class="https" href="https://www.debian.org/Bugs/">debian bugtracking system</a> <span class="anchor" id="line-253"></span>and <a class="https" href="https://www.debian.org/Bugs/pseudo-packages">pseudo package</a> <span class="anchor" id="line-254"></span><tt class="backtick">sso.debian.org</tt>. <span class="anchor" id="line-255"></span><span class="anchor" id="line-256"></span><span class="anchor" id="line-257"></span><p class="line867"> <h2 id="People_behind_this_service">People behind this service</h2> <span class="anchor" id="line-258"></span><span class="anchor" id="line-259"></span><p class="line874">Contact us through .... <span class="anchor" id="line-260"></span><span class="anchor" id="bottom"></span></div><div id="pagebottom"></div> </div> <div id="footer"> <p id="pageinfo" class="info" lang="en" dir="ltr">DebianSingleSignOn (<a class="nbinfo" href="/DebianSingleSignOn?action=info" rel="nofollow">last modified 2022-06-18 13:10:29</a>)</p> <ul id="credits"> <li>Debian <a href="https://www.debian.org/legal/privacy">privacy policy</a>, Wiki <a href="/Teams/DebianWiki">team</a>, <a href="https://bugs.debian.org/wiki.debian.org">bugs</a> and <a href="https://salsa.debian.org/debian/wiki.debian.org">config</a>.</li><li>Powered by <a href="https://moinmo.in/" title="This site uses the MoinMoin Wiki software.">MoinMoin</a> and <a href="https://moinmo.in/Python" title="MoinMoin is written in Python.">Python</a>, with hosting provided by <a href="https://www.man-da.de/">Metropolitan Area Network Darmstadt</a>.</li> </ul> </div> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10