The Debian SSO service is deprecated.

If you are a service admin please look into using Salsa for this purpose.

Debian SSO documentation

Debian has a Single Sign-On system for authenticating on web services at https://sso.debian.org/ , based on Client Certificates. Those certificates can usually be looked up in the browser (e.g. firefox) settings via the menu. In contrast, this very wiki itself cannot handle SSO.

The certificates are separate from the OpenPGP e-mail key which Debian members need to have. The SSO certs are web only, while the OpenPGP key is being used to, for example, sign "advocate" statements for new members.

How to obtain a certificate to use Debian SSO:

If you ARE a Debian Developer

  1. Set your SSO password via https://db.debian.org/

  2. Wait a few minutes for propagation,
  3. Use the Debian icon on the left hand side at https://sso.debian.org/

Be careful, the login here is not your full mail debian.org, but only the part before the @.

If you ARE NOT (yet) a Debian Developer

No new accounts will be created. Please use Salsa.


Browser support

This collects the current status and tips for browsers/http client support for sso.debian.org and client certificates.

Please help keeping it up to date by adding your own experience, and tips.

firefox

On Firefox 75.x (successfully tested also in Firefox 91.5.0esr (Debian buster, 2022/01/17)

With Firefox >= 69 only the manual process works (because support for <keygen> was dropped.)

With Firefox 63 (TODO: check exact affected release range) due to both Apache, OpenSSL and Firefox updates, it is necessary to go to about:config and set security.tls.enable_post_handshake_auth to true. It's unclear why this isn't enabled by default, but see the upstream bug report.

After generating a new certificate, either restart the browser or remove active logins (History → Clear Recent History... → "Active Logins" and click "Clear Now") and then try again. You may need to remove the association between the key and the site (see below in Troubleshooting).

Automatic certificate generation works, certificate selection works. Firefox restart is needed after certificate generation.

If you created a certificate using the process defined on this page: https://sso.debian.org/debian/certs/enroll_csr/, please make sure you imported the generated certificate in Firefox (about:preferences => certificates => import).

Troubleshooting: If you are sure that your SSO browser certificate is working and still valid but the SSO enabled Debian site is not triggering Firefox's "User Identification Request" dialog box, then it may be that you have visited that same site before and told Firefox back then not to use the SSO certificate for login. Firefox remembers this; it will also remember expired keys that you used in the past and won't even open the site.

Each or all of the above might be needed.

chromium / chrome

Automatic certificate generation works, certificate selection works.

If you want to access a site multiple times using a different certificate or no certificates, you can use an Incognito window.

Starting from Chromium version 49, websites need to be whitelisted in order to use the Key Generation feature. Just visit Debian SSO, then click on the HTTPS padlock and allow the feature on this website.

Once generated, your client certificate will be downloaded but not automatically imported. Clicking on the received file will open chromium certificate manager to import it.

Alternatively, generate a certificate manually, then:

openssl pkcs12 -export -out name.p12 -inkey name.key -in name.crt -nodes

and import name.p12 from the certificate dialog at chrome://settings/certificates or from the command line with:

pk12util -i name.p12 -d sql:$HOME/.pki/nssdb 

curl

You can use local certificates

   curl --key $USER.key --cert $USER.crt https://sso.debian.org/ca/test/env

From version 0.13~20190125-1, you can use local certificates generated by enrolling manually

Concatenate the certificate and key into a single file first:

     cat $USER.crt $USER.key > client_cert.pem

configure elinks to use client certificates (usually in ~/.elinks/elinks.conf):

    set connection.ssl.client_cert.enable = 1
    set connection.ssl.client_cert.file = "client_cert.pem"

links2

From version 2.10-2 (see 797066) you can use local certificates generated by enrolling manually

     links2 -http.client_cert_key $USER.key -http.client_cert_crt $USER.crt https://sso.debian.org/ca/test/env

From version 2.11.1-1 on, you can configure local client certificates also permanently via Setup → Network options → SSL options. From this version on, also encrypted keys for client certificates are supported.

lynx

From version 2.8.9dev6-4 (see 797901) you can use local certificates generated by enrolling manually:

wget

From version 1.17-1 (see 797057) you can use local certificates generated by enrolling manually.

   wget --certificate=$USER.crt --private-key=$USER.key https://sso.debian.org/ca/test/env

konqueror, rekonq

Client certificate support needs to be implemented.

xombrero

Cannot currently be used even for manual certificate generation because it lacks basic support for httponly cookies, see 797171.

Note that this browser is currently orphaned in Debian.

Tor Browser

As of Tor Browser 5.0.2, enrolling and using the certificate works as long as "Don't record browsing history or website data" is unchecked in the "Privacy and security settings". Not checked yet if it's indeed preserved across browser restarts, though.

Netsurf

netsurf does not currently support client certificate authentication, but 797747 has a patch to make it load and use certificate files provided via environment variables.

Internet Explorer

Not supported.

Use with a Yubikey in PIV mode

First, install and configure the base system for use with your Yubikey. Please be sure you've got one that works with the PIV applet. A NEO or NEO-N should work. After that's working, install the needed Yubikey and OpenSC software

sudo apt install yubico-piv-tool opensc-pkcs11 opensc

Next, export your Certificate into PKCS#12 format. This can be found in Iceweasel under Preferences, Advanced, Certificates, View Certificates, click on your @debian.org certificate, and click Backup.

Now, lets configure your PIV card. Lets first set the PIN and PUK code. If you've not done this before, the default PIN is 123456, and PUK is 12345678.

yubico-piv-tool -a change-pin -P 123456 -N ${PIN_HERE}
yubico-piv-tool -a change-puk -P 12345678 -N ${PUK_HERE}

Finally, let's load the Cert

yubico-piv-tool -s 9a -i DebianSSOKey.p12 -K PKCS12 -a set-chuid -a import-key -a import-cert

Verify it's working by going to Preferences, Advanced, Certificates, Security Devices. There should be one under OpenSC with a Description of Yubikey NEO-N. If you don't see this, you might have to tell Firefox about the PKCS#11 .so -- click on "Load" under the Security Devices menu, and add /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so into the browser. The interface should surface.

iOS Safari

Safari does not support generating client certificates, and as user don't have command line access to iOS (unless you jailbreak), you need a computer that can manually generate a certificate.

After generating certificate via manual approach, you need to pack them into PKCS#12 format, note that iOS requires PKCS#12 certificate to have a password, so do NOT leave the password empty.

openssl pkcs12 -export -out name.p12 -inkey name.key -in name.crt

On iOS, download the certificate via http server (one of the common servers is python3 -m http.server), open the certificate, then go to Settings -> General -> Profiles, and find the certificate to install.

Documentation for Users

If you have a Debian member's account (i.e. LDAP), you can log into sso.debian.org using your Debian Web Password; otherwise, you can log in using your Alioth account credentials. The SSO front page will let you choose the appropriate option.

Once you are logged in , you will see a list of certificates you have already generated, and can create new ones or revoke existing ones.

Getting a certificate

Check above if your browser is supported.

Click on SSO main page and select the appropriate login method (Debian or Alioth) account to create a new certificate and save it in your browser. You can choose the certificate validity, and optionally add a comment to easily identify the certificate in the certificate list; everything else happens automatically.

For privacy, the comment is not stored in the certificates, so it can only be seen by sso.debian.org.

You can have as many certificates as you want, with arbitrary durations. Do not worry about certificate expiration, because getting a new certificate just requires two clicks. For example, if you are going on holidays, you are leaving your computer at home and you have some trust in your tablet, you can enroll your tablet with a certificate that expires at the end of your holidays. Feel free to experiment.

You can also create a new certificate manually.

Using certificates

You can use this test page to try your certificates. The browser will ask for confirmation before using it, and if you have more than one it will ask you to choose which one you want to use.

Creating certificates manually

You can also visit SSO site to enroll manually (link "getting a certificate manually" at the bottom of the certificate generation page) and obtain a certificate pair on local files that you can then use with curl, links or any other HTTPS client software that supports client certificates. Once you have logged into the site choose the "Get new certificate" option and then choose "getting a certificate manually", which will walk you through generating a key and the appropriate signed challenge for the site to authenticate you.

Some browser will need a PKCS12 file to import the locally generated certificates:

openssl pkcs12 -export -out certificate.pfx -inkey your_private_key.key -in certificate_you_downloaded_from_sso.crt

SSO-enabled sites

This is a (possibly incomplete) list of sites that only work with sso.debian.org certificates:

Sustainability

Information for the long run.

This chapter is work in progress a.k.a. not yet reviewed by those who can really tell.

Providing feedback

Use debian bugtracking system and pseudo package sso.debian.org.

People behind this service

Contact us through ....