Re: Client certificate authentication

On Thu, Nov 13, 2008 at 05:31, Magnus Hagander <magnus@hagander.net> wrote:
> Attached patch implements client certificate authentication.
>
> I kept this sitting in my tree without sending it in before the
> commitfest because it is entirely dependent on the
> not-yet-reviewed-and-applied patch for how to configure client
> certificate requesting. But now that I learned how to do it right in
> git, breaking it out was very easy :-) Good learning experience.
>
> Anyway. Here it is. Builds on top of the "clientcert option for pg_hba"
> patch already on the list.

Patch looks good to me and works as described.

Would cncert be a better auth_method name? As later we might have
different types of ssl client cert authentication??

My only concern is there is no way to specify the USER_CERT_FILE for
libpq.  So if for example I have two users that I want to use cert
authentication for I really have to have to users on the system (or i
guess maybe you could fake HOME=... psql -U other_user).   Or am I
missing a way around this? (granted this might be a non-issue for now
as you can use trust clientcert=1 in pg_hba.conf with your other
patch?)