Skip site navigation (1) Skip section navigation (2)

Re: PKI/SSL Client/Server Certificate Authentication

From: "Brian A(dot) Seklecki" <lavalamp(at)spiritual-machines(dot)org>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: PKI/SSL Client/Server Certificate Authentication
Date: 2006-01-13 17:19:38
Message-ID: 20060113114049.D38232@arbitor.digitalfreaks.org (view raw or flat)
Thread:
Lists: pgsql-admin
On Fri, 13 Jan 2006, Tom Lane wrote:

> "Brian A. Seklecki" <lavalamp(at)spiritual-machines(dot)org> writes:
>> If a "bad person" were to somehow obtain a copy of the source code with a
>> password embedded in the connect string (Steal it from a developer who
>> uses Windows, or maybe convince Apache to not interpret PHP before sending
>> to the client, something stupid like that), they would still be unable to
>> connect without a client certificate.
>
> So they steal the client certificate file instead of (the file
> containing) the password.  How exactly is this more secure?

You'd have to get a local shell on the server *plus* the password.

If a hacker can get a local shell on your web server (not a multi-user 
environment, obviously), and the Web server isn't in a jail, then they've 
probably got your database server too, and you might as well pack up and 
head home.

But with OCSP, the CA for the organization can revoke the validity of a 
Cert at any time by updating the CRL.

The password is entirely optional for the user.  When you've got a Vhost 
running multiple Apps talking to the same BD, and the Web servers runs as 
the "www" or "http" user, you can even plug multiple database user 
passwords into user ~/www/.pgpass and the username is mapped via the 
Client X.509 cert.

In short, it's a deterrent to hackers and a convenience to admins.  But we 
all know if someone wants in, they'll get in and it won't be some kind of 
attack a weakness in X.509 PKI, it will be the develpoer on Windows that 
opens the e-mail with the attachment (or image file!)

~BAS

>
> 			regards, tom lane
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: explain analyze is your friend
>

l8*
 	-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

In response to

Responses

pgsql-admin by date

Next:From: Jim C. NasbyDate: 2006-01-13 19:18:47
Subject: Re: Vacuum is needed or not?
Previous:From: Tom LaneDate: 2006-01-13 16:08:44
Subject: Re: PKI/SSL Client/Server Certificate Authentication

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group