Client certificate authentication
Attached patch implements client certificate authentication.
I kept this sitting in my tree without sending it in before the
commitfest because it is entirely dependent on the
not-yet-reviewed-and-applied patch for how to configure client
certificate requesting. But now that I learned how to do it right in
git, breaking it out was very easy :-) Good learning experience.
Anyway. Here it is. Builds on top of the "clientcert option for pg_hba"
patch already on the list.
//Magnus
Attachments:
auth_cert.difftext/x-diff; name=auth_cert.diffDownload+124-18
On Thu, Nov 13, 2008 at 05:31, Magnus Hagander <magnus@hagander.net> wrote:
Attached patch implements client certificate authentication.
I kept this sitting in my tree without sending it in before the
commitfest because it is entirely dependent on the
not-yet-reviewed-and-applied patch for how to configure client
certificate requesting. But now that I learned how to do it right in
git, breaking it out was very easy :-) Good learning experience.Anyway. Here it is. Builds on top of the "clientcert option for pg_hba"
patch already on the list.
Patch looks good to me and works as described.
Would cncert be a better auth_method name? As later we might have
different types of ssl client cert authentication??
My only concern is there is no way to specify the USER_CERT_FILE for
libpq. So if for example I have two users that I want to use cert
authentication for I really have to have to users on the system (or i
guess maybe you could fake HOME=... psql -U other_user). Or am I
missing a way around this? (granted this might be a non-issue for now
as you can use trust clientcert=1 in pg_hba.conf with your other
patch?)
On 16 nov 2008, at 01.00, "Alex Hunsaker" <badalex@gmail.com> wrote:
On Thu, Nov 13, 2008 at 05:31, Magnus Hagander <magnus@hagander.net>
wrote:Attached patch implements client certificate authentication.
I kept this sitting in my tree without sending it in before the
commitfest because it is entirely dependent on the
not-yet-reviewed-and-applied patch for how to configure client
certificate requesting. But now that I learned how to do it right in
git, breaking it out was very easy :-) Good learning experience.Anyway. Here it is. Builds on top of the "clientcert option for
pg_hba"
patch already on the list.Patch looks good to me and works as described.
Would cncert be a better auth_method name? As later we might have
different types of ssl client cert authentication??
If/when I'd rather still call it cert, and use an authentication
option to control which field is matched against.
My only concern is there is no way to specify the USER_CERT_FILE for
libpq. So if for example I have two users that I want to use cert
authentication for I really have to have to users on the system (or i
guess maybe you could fake HOME=... psql -U other_user). Or am I
While not directly related to this patch, that is a very good point.
We have PGSSLKEY but not PGSSLCERT. Could certainly be worth adding.
missing a way around this? (granted this might be a non-issue for now
as you can use trust clientcert=1 in pg_hba.conf with your other
patch?)
Yes, you can use that but the usecase is extremely limited. It only
works if these are the *only* two users with certificates...
-Magnus
Import Notes
Resolved by subject fallback
Magnus Hagander escribi�:
On 16 nov 2008, at 01.00, "Alex Hunsaker" <badalex@gmail.com> wrote:
My only concern is there is no way to specify the USER_CERT_FILE for
libpq. So if for example I have two users that I want to use cert
authentication for I really have to have to users on the system (or i
guess maybe you could fake HOME=... psql -U other_user). Or am IWhile not directly related to this patch, that is a very good point. We
have PGSSLKEY but not PGSSLCERT. Could certainly be worth adding.
FWIW I think this was part of the patch submitted by Mark Woodward; see
http://wiki.postgresql.org/wiki/CommitFest_2008-07, and
http://archives.postgresql.org/message-id/20080801203157.GL4321@alvh.no-ip.org
--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.
Alvaro Herrera wrote:
Magnus Hagander escribi�:
On 16 nov 2008, at 01.00, "Alex Hunsaker" <badalex@gmail.com> wrote:
My only concern is there is no way to specify the USER_CERT_FILE for
libpq. So if for example I have two users that I want to use cert
authentication for I really have to have to users on the system (or i
guess maybe you could fake HOME=... psql -U other_user). Or am IWhile not directly related to this patch, that is a very good point. We
have PGSSLKEY but not PGSSLCERT. Could certainly be worth adding.FWIW I think this was part of the patch submitted by Mark Woodward; see
http://wiki.postgresql.org/wiki/CommitFest_2008-07, and
http://archives.postgresql.org/message-id/20080801203157.GL4321@alvh.no-ip.org
Seems like it. I totally missed that one.
As for the patch itself - do we really want to #ifdef all parameters
out? There's no harm in accepting them for non-ssl connections (and
ignoring them), and that might make life easier on third party stuff
that fills in all parameters with their default values if they're not
specified. Like we support sslmode even if we're compiled without SSL.
And yes, sslkey and PGSSLKEY should be made the same thing, I think.
//Magnus
On Mon, Nov 17, 2008 at 01:01, Magnus Hagander <magnus@hagander.net> wrote:
On 16 nov 2008, at 01.00, "Alex Hunsaker" <badalex@gmail.com> wrote:
Would cncert be a better auth_method name? As later we might have
different types of ssl client cert authentication??If/when I'd rather still call it cert, and use an authentication option to
control which field is matched against.
Makes sense to me.
FYI I marked this as ready for commiter...
On Mon, Nov 17, 2008 at 05:31, Alvaro Herrera
<alvherre@commandprompt.com> wrote:
Magnus Hagander escribió:
On 16 nov 2008, at 01.00, "Alex Hunsaker" <badalex@gmail.com> wrote:
My only concern is there is no way to specify the USER_CERT_FILE for
libpq. So if for example I have two users that I want to use cert
authentication for I really have to have to users on the system (or i
guess maybe you could fake HOME=... psql -U other_user). Or am IWhile not directly related to this patch, that is a very good point. We
have PGSSLKEY but not PGSSLCERT. Could certainly be worth adding.FWIW I think this was part of the patch submitted by Mark Woodward; see
http://wiki.postgresql.org/wiki/CommitFest_2008-07, and
http://archives.postgresql.org/message-id/20080801203157.GL4321@alvh.no-ip.org
Cool! I missed this one as well, too bad it does not look like it ever
got resubmitted for this feast :(
Show quoted text
--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.
Alex Hunsaker wrote:
On Mon, Nov 17, 2008 at 05:31, Alvaro Herrera
<alvherre@commandprompt.com> wrote:Magnus Hagander escribió:
On 16 nov 2008, at 01.00, "Alex Hunsaker" <badalex@gmail.com> wrote:
My only concern is there is no way to specify the USER_CERT_FILE for
libpq. So if for example I have two users that I want to use cert
authentication for I really have to have to users on the system (or i
guess maybe you could fake HOME=... psql -U other_user). Or am IWhile not directly related to this patch, that is a very good point. We
have PGSSLKEY but not PGSSLCERT. Could certainly be worth adding.FWIW I think this was part of the patch submitted by Mark Woodward; see
http://wiki.postgresql.org/wiki/CommitFest_2008-07, and
http://archives.postgresql.org/message-id/20080801203157.GL4321@alvh.no-ip.orgCool! I missed this one as well, too bad it does not look like it ever
got resubmitted for this feast :(
Actually, isn't that second mail the resubmission? That just didn't go
up on the commitfest page properly?
//Magnus