Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt

From: Magnus Hagander <magnus(at)hagander(dot)net>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Martin Pitt <mpitt(at)debian(dot)org>, pgsql-bugs(at)postgresql(dot)org
Subject: Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt
Date: 2009-04-10 17:34:59
Message-ID: 49DF8343.6070208@hagander.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

Tom Lane wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> Tom Lane wrote:
>>> In my experience ssh itself isn't this strict. Why should libpq be?
>
>> ssh prompts the user when this happens. We don't have a mechanism for
>> prompting the user.
>
> In the first place, I have never seen such a prompt, despite the fact
> that I use ssh constantly to connect to machines that I know do not have
> properly signed certificates. If there is such a prompt, it isn't the
> default behavior. In the second place, unconditionally failing isn't a
> particularly nice emulation of a prompting behavior.

*really*? Here's what I get as an example (after removing the trust):

ha(at)mha-laptop:~/.ssh$ ssh cvs.postgresql.org
The authenticity of host 'cvs.postgresql.org (217.196.146.206)' can't be
established.
DSA key fingerprint is 54:27:10:f3:48:0a:f0:b6:c3:14:79:7e:49:c0:75:f3.
Are you sure you want to continue connecting (yes/no)? ^C

Are you saying you're not getting that? I've got that (or similar) on
every single platform I recall having used...

ssh doesn't use certificates, actually, it uses known host keys. The
difference being that with certificates you trust the root and thereby
everything under it. For ssh, afaik, you need to trust each host
individually.

> Perhaps a suitable compromise is to have the failure message include
> a hint about how to prevent the failure if you don't want it?

That would definitely work for me.

//Magnus

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Tom Lane 2009-04-10 17:38:56 Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt
Previous Message Tom Lane 2009-04-10 17:31:31 Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt