1 [[!meta title="Can I authenticate people using MIT personal certificates?"]]
2 Yes. There are two ways to do so: one will limit access to an
3 entire directory (with an .htaccess file), and the second will
4 provide the information in the
5 [MIT personal certificate](http://ca.mit.edu) to your scripts.
7 #### Limiting access with .htaccess
9 Create a plain-text file called .htaccess in the directory to which
10 you want to restrict access (for example, in the base directory of
11 your wiki or other piece of software).
13 - To allow anybody with an MIT certificate to access your site
14 (i.e., to make your site MIT-only), add the following lines to the
18 ErrorDocument 401 /\_\_scripts/needcerts**
21 - To restrict access to a particular set of one or more
24 Require user *username1* *username2*
25 ErrorDocument 401 /\_\_scripts/needcerts**
28 - To restrict access to members of a Moira list (aka traditional
29 or blanche list) that is an *AFS* group:
31 Require afsgroup system:*group1* system:*group2*
32 ErrorDocument 401 /\_\_scripts/needcerts**
35 - If you want to allow access to members of *either* an existing
36 list or a list of usernames, you’ll need to
37 [create a new list](http://wserv.mit.edu/lc) containing the
38 existing list and any additional usernames.
40 (The **ErrorDocument 401 /\_\_scripts/needcerts** line ensures that
41 users are redirected to an HTTPS connection on port 444, which is
42 configured to accept certificates. If the user has no certificates,
43 they will be presented with a default error page; to use a custom
44 error page, you can instead use
45 **ErrorDocument 401 /\_\_scripts/needcerts/\~username/customerror.cgi**.)
47 Note that the list in question must be visible and an AFS group.
48 You can check the status by running **blanche *group* -i** at an
49 Athena prompt: it should say “visible” under flags and “is a group”
50 on the next line. (If you own the list, you can change these by
51 running **blanche *group* -V** to make it visible and
52 **blanche *group* -G** to make it an AFS group.)
54 Please double-check that the restrictions are enforced properly,
55 e.g., by using a computer that doesn’t have certificates or asking
56 someone else to try accessing the page. Note that scripts does
57 **not** support **.htaccess.mit** files.
59 If you have any questions about using this system for restricting
60 access, please contact [scripts@mit.edu](mailto:scripts@mit.edu).
62 #### Finding certificate information from CGI scripts
64 If you access your website with HTTPS on port 444 (e.g.
65 **https://username.scripts.mit.edu:444/** or
66 **https://scripts.mit.edu:444/\~username/**), or via the
67 scripts-cert hostname (e.g.
68 **https://scripts-cert.mit.edu/\~username/**), the scripts server
69 will request a certificate from the user. It will then create
71 [SSL environment variables](http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25)
72 based on the user’s identity. The most useful is the variable
73 SSL\_CLIENT\_S\_DN\_Email, which can be used to determine the
74 Athena username of the individual currently accessing your script.
76 Here’s an example of listing these environment variables with
78 [code](http://web.mit.edu/~jbarnold/web_scripts/demo/env.pl.html) |
79 [output without SSL](http://scripts.mit.edu/~jbarnold/demo/env.pl)
81 [output with SSL](https://scripts-cert.mit.edu/~jbarnold/demo/env.pl)
83 Here’s another example, using PHP to detect whether you’re using
85 [code](http://web.mit.edu/~geofft/web_scripts/detect.php) |
86 [output without SSL](http://scripts.mit.edu/~geofft/demo/detect.php)
88 [output with SSL](https://scripts-cert.mit.edu/~geofft/demo/detect.php)
90 If you’re using Django, a certificate authentication backend is
92 [Details on the web](http://web.mit.edu/snippets/django/mit/) |
93 Code: git://snippets.scripts.mit.edu/.git or
94 /afs/sipb.mit.edu/project/snippets/
96 You can also limit access using
97 [passwords](http://scripts.mit.edu/faq/23/).
scripts.mit.edu / www / raw.git / blob