On Fri, Feb 16, 2018 at 4:45 PM, Julian Markwort <
julian.markw...@uni-muenster.de> wrote:

> Dear Postgresql Hackers,
> as of now, pg_hba.conf allows us to enable authentification by
> certificate through the auth-method "cert", in which case the user must
> provide a valid certificate with a certificate common name(CN) matching
> the database user's name or an entry in a pg_ident map.
> Additionaly, for every other auth-method it is possible to set the
> auth-option "clientcert=1", so clients must present a valid certificate
> at login. The logic behind this only checks the validity of the
> certificate itself, but the certificate common name(CN) is not
> relevant.
> I wrote a very small patch that adds another auth-option:
> - clientcert=verify-full (analogous to server certificates; you could
> also use 2 instead of verify-full for backwards compatibility, or
> verify-ca instead of 1)
> which also checks the certificate common name,
> so all 3 factors get checked:
> 1.) auth-method, e.g. scram or md5 password passes
> 2.) client cert is in truststore
> 3.) CN is correct.
> (The patch simply makes use of the function that is used for auth-
> method "cert" to avoid code duplication).

I think this makes a lot of sense, and can definitely be a useful option.

However, the patch is completely lacking documentation, which obviously
make it a no-starter.

Also if I read it right, if the CN is not correct, it will give the error
message "certificate authentication failed for user ...". I realize this
comes from the re-use of the code, but I don't think this makes it very
useful. We  need to separate these two things.

 Magnus Hagander
 Me: https://www.hagander.net/ <http://www.hagander.net/>
 Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>

Reply via email to