From: | "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org> |
---|---|
To: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | allowing "map" for password auth methods with clientcert=verify-full |
Date: | 2021-10-26 18:59:19 |
Message-ID: | 671f76c1-3f66-56ec-5d9b-a9c5f359fa84@postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hi,
Since PostgreSQL 12 (0516c61b756e39) we have allowed for the ability to
set "clientcert=verify-full" against various HBA authentication methods.
This provides the ability to provide "multi-factor authentication" e.g.
a client must provide both a valid certificate with a CN (or DN) that
matches the user account, as well as a separate authentication challenge
(e.g. a password).
With certificate-based authentication methods and other methods, we
allow for users to specify a mapping in pg_ident, e.g. if one needs to
perform a rewrite on the CN to match the username that is specified
within PostgreSQL.
It seems logical that we should allow for something like:
hostssl all all all scram-sha-256 clientcert=verify-full map=map
so we can accept certificates that may have CNs that can be mapped to a
PostgreSQL user name.
Currently we can't do this, as one will get the error:
> authentication option "map" is only valid for authentication methods
> ident, peer, gssapi, sspi, and cert
I propose the below patch to add the currently supported password
methods, scram-sha-256 + md5 to allow for the "map" parameter to be
used. I hesitate to add md5 given we're trying to phase it out, so open
to debate there.
With my testing, this does work when you specify clientcert=verify-full:
PostgreSQL will correctly map the certificate. If you do not have
clientcert=verify-full, the mapping appears to do nothing.
If this seems acceptable/valid, I'll add the appropriate documentation
and whatever else may be required.
Thanks,
Jonathan
Attachment | Content-Type | Size |
---|---|---|
password-map.patch | text/plain | 777 bytes |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2021-10-26 19:26:08 | Re: allowing "map" for password auth methods with clientcert=verify-full |
Previous Message | Andres Freund | 2021-10-26 18:58:31 | Re: src/port/snprintf.c: Optimize the common base=10 case in fmtint |