From: | Gleb Kouzmenko <gk(at)abra(dot)ru> |
---|---|
To: | pgsql-patches(at)postgresql(dot)org |
Subject: | SSL cert client authentication |
Date: | 2006-11-17 08:58:56 |
Message-ID: | 455D79D0.5070404@abra.ru |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-patches |
I propose to authenticate client via verification of its SSL certificate.
IDEA.
Recent versions of PostgreSQL database server can verify client's SSL
certificate (via server's root.crt now).
Server gets 'subject' line of verified client certificate
( in src/backend/libpq/be-secure.c:open_server_SSL ),
stores it in port->peer_dn, and never uses it after that.
We can treat this verification as some kind of IDENT authentication method.
The idea is to use client's 'subject' as ident-username key during ident
map lookup.
EXAMPLE.
pg_hba.conf:
hostssl all koug 0/0 ident sslcert
hostssl all dba 0/0 ident sslcert
pg_ident.conf:
sslcert "/C=RU/ST=Tmutarakan/O=Kremlin/CN=Gleb
Kouzmenko/emailAddress=undisclosed(at)domain(dot)org" koug
sslcert "/C=RU/ST=Tmutarakan/O=Kremlin/CN=Gleb
Kouzmenko/emailAddress=undisclosed(at)domain(dot)org" dba
Client that have valid certificate with this 'subject' line can make
secure connection
to database server as koug or dba - without having IDENT server on his
computer.
DRAWBACK.
It becomes impossible to use ssl connection and IDENT via TCP/IP
protocol at the same time.
I think it's positive consequence of the method proposed.
It's rather strange to rely on insecure IDENT via TCP/IP for
authentication of secured connection.
SOLUTION.
Only one function src/backend/libpq/hba.c:authident should be modified.
Patch attached has been made for 8.2beta3.
Same modification of authident has been tested against 8.1.5 too.
Gleb Kouzmenko
Attachment | Content-Type | Size |
---|---|---|
postgresql-sslauth.8.2beta3.patch | text/x-patch | 1.5 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Simon Riggs | 2006-11-17 09:40:12 | Re: [HACKERS] Extended protocol logging |
Previous Message | Mario Weilguni | 2006-11-17 08:50:33 | Re: Cast null to int4 upgrading from Version 7.2 |