Re: Client certificate authentication

On 16 nov 2008, at 01.00, "Alex Hunsaker" <badalex(at)gmail(dot)com> wrote:

> On Thu, Nov 13, 2008 at 05:31, Magnus Hagander <magnus(at)hagander(dot)net>
> wrote:
>> Attached patch implements client certificate authentication.
>>
>> I kept this sitting in my tree without sending it in before the
>> commitfest because it is entirely dependent on the
>> not-yet-reviewed-and-applied patch for how to configure client
>> certificate requesting. But now that I learned how to do it right in
>> git, breaking it out was very easy :-) Good learning experience.
>>
>> Anyway. Here it is. Builds on top of the "clientcert option for
>> pg_hba"
>> patch already on the list.
>
> Patch looks good to me and works as described.
>
> Would cncert be a better auth_method name? As later we might have
> different types of ssl client cert authentication??

If/when I'd rather still call it cert, and use an authentication
option to control which field is matched against.

> My only concern is there is no way to specify the USER_CERT_FILE for
> libpq. So if for example I have two users that I want to use cert
> authentication for I really have to have to users on the system (or i
> guess maybe you could fake HOME=... psql -U other_user). Or am I

While not directly related to this patch, that is a very good point.
We have PGSSLKEY but not PGSSLCERT. Could certainly be worth adding.

>
> missing a way around this? (granted this might be a non-issue for now
> as you can use trust clientcert=1 in pg_hba.conf with your other
> patch?)

Yes, you can use that but the usecase is extremely limited. It only
works if these are the *only* two users with certificates...

-Magnus

Magnus Hagander escribió:
> On 16 nov 2008, at 01.00, "Alex Hunsaker" <badalex(at)gmail(dot)com> wrote:

>> My only concern is there is no way to specify the USER_CERT_FILE for
>> libpq. So if for example I have two users that I want to use cert
>> authentication for I really have to have to users on the system (or i
>> guess maybe you could fake HOME=... psql -U other_user). Or am I
>
> While not directly related to this patch, that is a very good point. We
> have PGSSLKEY but not PGSSLCERT. Could certainly be worth adding.

FWIW I think this was part of the patch submitted by Mark Woodward; see
http://wiki.postgresql.org/wiki/CommitFest_2008-07, and
http://archives.postgresql.org/message-id/20080801203157.GL4321@alvh.no-ip.org

--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.

Alvaro Herrera wrote:
> Magnus Hagander escribió:
>> On 16 nov 2008, at 01.00, "Alex Hunsaker" <badalex(at)gmail(dot)com> wrote:
>
>>> My only concern is there is no way to specify the USER_CERT_FILE for
>>> libpq. So if for example I have two users that I want to use cert
>>> authentication for I really have to have to users on the system (or i
>>> guess maybe you could fake HOME=... psql -U other_user). Or am I
>> While not directly related to this patch, that is a very good point. We
>> have PGSSLKEY but not PGSSLCERT. Could certainly be worth adding.
>
> FWIW I think this was part of the patch submitted by Mark Woodward; see
> http://wiki.postgresql.org/wiki/CommitFest_2008-07, and
> http://archives.postgresql.org/message-id/20080801203157.GL4321@alvh.no-ip.org

Seems like it. I totally missed that one.

As for the patch itself - do we really want to #ifdef all parameters
out? There's no harm in accepting them for non-ssl connections (and
ignoring them), and that might make life easier on third party stuff
that fills in all parameters with their default values if they're not
specified. Like we support sslmode even if we're compiled without SSL.

And yes, sslkey and PGSSLKEY should be made the same thing, I think.

//Magnus

On Mon, Nov 17, 2008 at 01:01, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> On 16 nov 2008, at 01.00, "Alex Hunsaker" <badalex(at)gmail(dot)com> wrote:
>> Would cncert be a better auth_method name? As later we might have
>> different types of ssl client cert authentication??
>
> If/when I'd rather still call it cert, and use an authentication option to
> control which field is matched against.

Makes sense to me.

FYI I marked this as ready for commiter...

On Mon, Nov 17, 2008 at 05:31, Alvaro Herrera
<alvherre(at)commandprompt(dot)com> wrote:
> Magnus Hagander escribió:
>> On 16 nov 2008, at 01.00, "Alex Hunsaker" <badalex(at)gmail(dot)com> wrote:
>
>>> My only concern is there is no way to specify the USER_CERT_FILE for
>>> libpq. So if for example I have two users that I want to use cert
>>> authentication for I really have to have to users on the system (or i
>>> guess maybe you could fake HOME=... psql -U other_user). Or am I
>>
>> While not directly related to this patch, that is a very good point. We
>> have PGSSLKEY but not PGSSLCERT. Could certainly be worth adding.
>
> FWIW I think this was part of the patch submitted by Mark Woodward; see
> http://wiki.postgresql.org/wiki/CommitFest_2008-07, and
> http://archives.postgresql.org/message-id/20080801203157.GL4321@alvh.no-ip.org

Cool! I missed this one as well, too bad it does not look like it ever
got resubmitted for this feast :(

> --
> Alvaro Herrera http://www.CommandPrompt.com/
> The PostgreSQL Company - Command Prompt, Inc.
>

Alex Hunsaker wrote:
> On Mon, Nov 17, 2008 at 05:31, Alvaro Herrera
> <alvherre(at)commandprompt(dot)com> wrote:
>> Magnus Hagander escribió:
>>> On 16 nov 2008, at 01.00, "Alex Hunsaker" <badalex(at)gmail(dot)com> wrote:
>>>> My only concern is there is no way to specify the USER_CERT_FILE for
>>>> libpq. So if for example I have two users that I want to use cert
>>>> authentication for I really have to have to users on the system (or i
>>>> guess maybe you could fake HOME=... psql -U other_user). Or am I
>>> While not directly related to this patch, that is a very good point. We
>>> have PGSSLKEY but not PGSSLCERT. Could certainly be worth adding.
>> FWIW I think this was part of the patch submitted by Mark Woodward; see
>> http://wiki.postgresql.org/wiki/CommitFest_2008-07, and
>> http://archives.postgresql.org/message-id/20080801203157.GL4321@alvh.no-ip.org
>
> Cool! I missed this one as well, too bad it does not look like it ever
> got resubmitted for this feast :(

Actually, isn't that second mail the resubmission? That just didn't go
up on the commitfest page properly?

//Magnus