diff options
author | mathieui <mathieui@mathieui.net> | 2014-12-11 22:28:44 +0100 |
---|---|---|
committer | mathieui <mathieui@mathieui.net> | 2014-12-11 22:28:44 +0100 |
commit | 00396c158aa032585db88cfd4b622281ba3cbd7f (patch) | |
tree | dfe9711c6ccc3b908c1de8a06bc5080139113bf4 /doc/source/misc | |
parent | 21d8a3e7e19dc639262ac7fa7d7817351ff8b4c1 (diff) | |
download | poezio-00396c158aa032585db88cfd4b622281ba3cbd7f.tar.gz poezio-00396c158aa032585db88cfd4b622281ba3cbd7f.tar.bz2 poezio-00396c158aa032585db88cfd4b622281ba3cbd7f.tar.xz poezio-00396c158aa032585db88cfd4b622281ba3cbd7f.zip |
Fix #2847 (SASL External support)
- Add two new options, keyfile and certfile, which must be both set for
the auth to work.
- if both are set, then poezio doesn’t force-prompt a password if there
is none specified
- add /cert_add, /cert_fetch, /cert_disable, /cert_revoke and /certs
commands.
- add a page of documentation on the process
Diffstat (limited to 'doc/source/misc')
-rw-r--r-- | doc/source/misc/client_certs.rst | 43 | ||||
-rw-r--r-- | doc/source/misc/index.rst | 1 |
2 files changed, 44 insertions, 0 deletions
diff --git a/doc/source/misc/client_certs.rst b/doc/source/misc/client_certs.rst new file mode 100644 index 00000000..df09ea3c --- /dev/null +++ b/doc/source/misc/client_certs.rst @@ -0,0 +1,43 @@ +Using client certificates to login +================================== + +Passwordless authentication is possible in XMPP through the use of mecanisms +such as `SASL External`_. This mechanism has to be supported by both the client +and the server. This page does not cover the server setup, but prosody has a +`mod_client_certs`_ module which can perform this kind of authentication, and +also helps you create a self-signed certificate. + +Poezio configuration +-------------------- + +If you created a certificate using the above link, you should have at least +two files, a ``.crt`` (public key in PEM format) and a ``.key`` (private key +in PEM format). + +You only have to store the files wherever you want and set :term:`keyfile` +with the path to the private key (``.key``), and :term:`certfile` with the +path to the public key (``.crt``). + +Authorizing your keys +--------------------- + +Now your poezio is setup to try to use client certificates at each connection. +However, you still need to inform your XMPP server that you want to allow +those keys to access your account. + +This is done through :term:`/cert_add`. Once you have added your certificate, +you can try to connect without a password by commenting the option. + +.. note:: The :term:`/cert_add` command and the others are only available if + your server supports them. + +Next +---- +Now that this is setup, you might want to use :term:`/certs` to list the +keys currently known by your XMPP server, :term:`/cert_revoke` or +:term:`/cert_disable` to remove them, and :term:`/cert_fetch` to retrieve +a public key. + + +.. _SASL External: http://xmpp.org/extensions/xep-0178.html +.. _mod_client_certs: https://code.google.com/p/prosody-modules/wiki/mod_client_certs diff --git a/doc/source/misc/index.rst b/doc/source/misc/index.rst index fe8f1100..2603298e 100644 --- a/doc/source/misc/index.rst +++ b/doc/source/misc/index.rst @@ -7,6 +7,7 @@ Contents: :maxdepth: 2 carbons + client_certs correct personal_events pyenv |