summaryrefslogtreecommitdiff
path: root/doc/source/misc/client_certs.rst
diff options
context:
space:
mode:
authormathieui <mathieui@mathieui.net>2014-12-11 22:28:44 +0100
committermathieui <mathieui@mathieui.net>2014-12-11 22:28:44 +0100
commit00396c158aa032585db88cfd4b622281ba3cbd7f (patch)
treedfe9711c6ccc3b908c1de8a06bc5080139113bf4 /doc/source/misc/client_certs.rst
parent21d8a3e7e19dc639262ac7fa7d7817351ff8b4c1 (diff)
downloadpoezio-00396c158aa032585db88cfd4b622281ba3cbd7f.tar.gz
poezio-00396c158aa032585db88cfd4b622281ba3cbd7f.tar.bz2
poezio-00396c158aa032585db88cfd4b622281ba3cbd7f.tar.xz
poezio-00396c158aa032585db88cfd4b622281ba3cbd7f.zip
Fix #2847 (SASL External support)
- Add two new options, keyfile and certfile, which must be both set for the auth to work. - if both are set, then poezio doesn’t force-prompt a password if there is none specified - add /cert_add, /cert_fetch, /cert_disable, /cert_revoke and /certs commands. - add a page of documentation on the process
Diffstat (limited to 'doc/source/misc/client_certs.rst')
-rw-r--r--doc/source/misc/client_certs.rst43
1 files changed, 43 insertions, 0 deletions
diff --git a/doc/source/misc/client_certs.rst b/doc/source/misc/client_certs.rst
new file mode 100644
index 00000000..df09ea3c
--- /dev/null
+++ b/doc/source/misc/client_certs.rst
@@ -0,0 +1,43 @@
+Using client certificates to login
+==================================
+
+Passwordless authentication is possible in XMPP through the use of mecanisms
+such as `SASL External`_. This mechanism has to be supported by both the client
+and the server. This page does not cover the server setup, but prosody has a
+`mod_client_certs`_ module which can perform this kind of authentication, and
+also helps you create a self-signed certificate.
+
+Poezio configuration
+--------------------
+
+If you created a certificate using the above link, you should have at least
+two files, a ``.crt`` (public key in PEM format) and a ``.key`` (private key
+in PEM format).
+
+You only have to store the files wherever you want and set :term:`keyfile`
+with the path to the private key (``.key``), and :term:`certfile` with the
+path to the public key (``.crt``).
+
+Authorizing your keys
+---------------------
+
+Now your poezio is setup to try to use client certificates at each connection.
+However, you still need to inform your XMPP server that you want to allow
+those keys to access your account.
+
+This is done through :term:`/cert_add`. Once you have added your certificate,
+you can try to connect without a password by commenting the option.
+
+.. note:: The :term:`/cert_add` command and the others are only available if
+ your server supports them.
+
+Next
+----
+Now that this is setup, you might want to use :term:`/certs` to list the
+keys currently known by your XMPP server, :term:`/cert_revoke` or
+:term:`/cert_disable` to remove them, and :term:`/cert_fetch` to retrieve
+a public key.
+
+
+.. _SASL External: http://xmpp.org/extensions/xep-0178.html
+.. _mod_client_certs: https://code.google.com/p/prosody-modules/wiki/mod_client_certs