Re: Client certificate authentication

On 16 nov 2008, at 01.00, "Alex Hunsaker" <badalex@gmail.com> wrote:

> On Thu, Nov 13, 2008 at 05:31, Magnus Hagander <magnus@hagander.net>  
> wrote:
>> Attached patch implements client certificate authentication.
>>
>> I kept this sitting in my tree without sending it in before the
>> commitfest because it is entirely dependent on the
>> not-yet-reviewed-and-applied patch for how to configure client
>> certificate requesting. But now that I learned how to do it right in
>> git, breaking it out was very easy :-) Good learning experience.
>>
>> Anyway. Here it is. Builds on top of the "clientcert option for  
>> pg_hba"
>> patch already on the list.
>
> Patch looks good to me and works as described.
>
> Would cncert be a better auth_method name? As later we might have
> different types of ssl client cert authentication??

If/when I'd rather still call it cert, and use an authentication  
option to control which field is matched against.


> My only concern is there is no way to specify the USER_CERT_FILE for
> libpq.  So if for example I have two users that I want to use cert
> authentication for I really have to have to users on the system (or i
> guess maybe you could fake HOME=... psql -U other_user).   Or am I

While not directly related to this patch, that is a very good point.  
We have PGSSLKEY but not PGSSLCERT. Could certainly be worth adding.


>
> missing a way around this? (granted this might be a non-issue for now
> as you can use trust clientcert=1 in pg_hba.conf with your other
> patch?)

Yes, you can use that but the usecase is extremely limited. It only  
works if these are the *only* two users with certificates...

-Magnus