| From: | Julian Markwort <julian(dot)markwort(at)uni-muenster(dot)de> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Cc: | arne(dot)scheffer(at)uni-muenster(dot)de |
| Subject: | [PATCH] pg_hba.conf : new auth option : clientcert=verify-full |
| Date: | 2018-02-16 15:45:28 |
| Message-ID: | 1518795928.3365.24.camel@uni-muenster.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Dear Postgresql Hackers,
as of now, pg_hba.conf allows us to enable authentification by
certificate through the auth-method "cert", in which case the user must
provide a valid certificate with a certificate common name(CN) matching
the database user's name or an entry in a pg_ident map.
Additionaly, for every other auth-method it is possible to set the
auth-option "clientcert=1", so clients must present a valid certificate
at login. The logic behind this only checks the validity of the
certificate itself, but the certificate common name(CN) is not
relevant.
I wrote a very small patch that adds another auth-option:
- clientcert=verify-full (analogous to server certificates; you could
also use 2 instead of verify-full for backwards compatibility, or
verify-ca instead of 1)
which also checks the certificate common name,
so all 3 factors get checked:
1.) auth-method, e.g. scram or md5 password passes
2.) client cert is in truststore
3.) CN is correct.
(The patch simply makes use of the function that is used for auth-
method "cert" to avoid code duplication).
Have a nice weekend,
Julian Markwort
| Attachment | Content-Type | Size |
|---|---|---|
| clientcert_verify-full_v01.patch | text/x-patch | 1.9 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Petr Jelinek | 2018-02-16 16:04:33 | Re: After an error - pg_replication_slot is dropped |
| Previous Message | Peter Eisentraut | 2018-02-16 15:39:40 | Re: spelling of enable_partition_wise_join |