Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full

On Fri, Feb 16, 2018 at 4:45 PM, Julian Markwort <
julian(dot)markwort(at)uni-muenster(dot)de> wrote:

> Dear Postgresql Hackers,
>
> as of now, pg_hba.conf allows us to enable authentification by
> certificate through the auth-method "cert", in which case the user must
> provide a valid certificate with a certificate common name(CN) matching
> the database user's name or an entry in a pg_ident map.
>
> Additionaly, for every other auth-method it is possible to set the
> auth-option "clientcert=1", so clients must present a valid certificate
> at login. The logic behind this only checks the validity of the
> certificate itself, but the certificate common name(CN) is not
> relevant.
>
> I wrote a very small patch that adds another auth-option:
> - clientcert=verify-full (analogous to server certificates; you could
> also use 2 instead of verify-full for backwards compatibility, or
> verify-ca instead of 1)
> which also checks the certificate common name,
> so all 3 factors get checked:
> 1.) auth-method, e.g. scram or md5 password passes
> 2.) client cert is in truststore
> 3.) CN is correct.
>
> (The patch simply makes use of the function that is used for auth-
> method "cert" to avoid code duplication).
>

I think this makes a lot of sense, and can definitely be a useful option.

However, the patch is completely lacking documentation, which obviously
make it a no-starter.

Also if I read it right, if the CN is not correct, it will give the error
message "certificate authentication failed for user ...". I realize this
comes from the re-use of the code, but I don't think this makes it very
useful. We need to separate these two things.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>