MIT SIPB Script Services for Athena

Can I authenticate people using MIT personal certificates?

Yes. There are two ways to do so: one will limit access to an entire directory (with an .htaccess file), and the second will provide the information in the MIT personal certificate to your scripts.

Limiting access with .htaccess

Create a plain-text file called .htaccess in the directory to which you want to restrict access (for example, in the base directory of your wiki or other piece of software).

  • To allow anybody with an MIT certificate to access your site (i.e., to make your site MIT-only), add the following lines to the .htaccess file:
AuthType SSLCert
Require valid-user
ErrorDocument 401 /__scripts/needcerts
  • You can expand on the previous example as follows to restrict access for a single file. Replace “filename” with the name of the page you want to restrict in quotes:
<Files "filename">
AuthType SSLCert
Require valid-user
ErrorDocument 401 /__scripts/needcerts
  • To restrict access to a particular set of one or more usernames:
AuthType SSLCert
Require user _username1_ _username2_
ErrorDocument 401 /__scripts/needcerts
  • To restrict access to members of a Moira list (aka traditional or blanche list) that is an AFS group:
AuthType SSLCert
Require afsgroup system:_group1_ system:_group2_
ErrorDocument 401 /__scripts/needcerts
  • If you want to allow access to members of either an existing list or a list of usernames, you’ll need to create a new list containing the existing list and any additional usernames.

(The ErrorDocument 401 /__scripts/needcerts line ensures that users are redirected to an HTTPS connection on port 444, which is configured to accept certificates. If the user has no certificates, they will be presented with a default error page; to use a custom error page, you can instead use ErrorDocument 401 /__scripts/needcerts/~username/customerror.cgi.)

If you are restricting a WordPress installation, you may need to edit the WordPress address and/or site address in the WordPress admin interface to add :444 after the hostname, to avoid an infinite redirect loop.

Note that the list in question must be visible and an AFS group. You can check the status by running blanche group -i at an Athena prompt: it should say “visible” under flags and “is a group” on the next line. (If you own the list, you can change these by running blanche group -V to make it visible and blanche group -G to make it an AFS group.)

Please double-check that the restrictions are enforced properly, e.g., by using a computer that doesn’t have certificates or asking someone else to try accessing the page. Note that scripts does not support files.

If you have any questions about using this system for restricting access, please contact

Finding certificate information from CGI scripts

If you access your website with HTTPS on port 444 (, the scripts server will request a certificate from the user. It will then create special SSL environment variables based on the user’s identity. The most useful is the variable SSL_CLIENT_S_DN_Email, which can be used to determine the Athena username of the individual currently accessing your script.

Here’s an example of listing these environment variables with Perl:
code | output without SSL | output with SSL

Here’s another example, using PHP to detect whether you’re using certificates:
code | output without SSL | output with SSL

If you’re using Django, a certificate authentication backend is available:
Details on the web | Code: git:// or /afs/

You can also limit access using passwords.

© 2004-2020, the SIPB project.
These pages may be reused under either the GFDL 1.2 or CC-BY-SA 3.0.
Questions? Contact

You are currently connected to