On Fri, Feb 16, 2018 at 4:45 PM, Julian Markwort < julian.markw...@uni-muenster.de> wrote:
> Dear Postgresql Hackers, > > as of now, pg_hba.conf allows us to enable authentification by > certificate through the auth-method "cert", in which case the user must > provide a valid certificate with a certificate common name(CN) matching > the database user's name or an entry in a pg_ident map. > > Additionaly, for every other auth-method it is possible to set the > auth-option "clientcert=1", so clients must present a valid certificate > at login. The logic behind this only checks the validity of the > certificate itself, but the certificate common name(CN) is not > relevant. > > I wrote a very small patch that adds another auth-option: > - clientcert=verify-full (analogous to server certificates; you could > also use 2 instead of verify-full for backwards compatibility, or > verify-ca instead of 1) > which also checks the certificate common name, > so all 3 factors get checked: > 1.) auth-method, e.g. scram or md5 password passes > 2.) client cert is in truststore > 3.) CN is correct. > > (The patch simply makes use of the function that is used for auth- > method "cert" to avoid code duplication). > I think this makes a lot of sense, and can definitely be a useful option. However, the patch is completely lacking documentation, which obviously make it a no-starter. Also if I read it right, if the CN is not correct, it will give the error message "certificate authentication failed for user ...". I realize this comes from the re-use of the code, but I don't think this makes it very useful. We need to separate these two things. -- Magnus Hagander Me: https://www.hagander.net/ <http://www.hagander.net/> Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
