I propose to authenticate client via verification of its SSL certificate.
Recent versions of PostgreSQL database server can verify client's SSL
certificate (via server's root.crt now).
Server gets 'subject' line of verified client certificate
( in src/backend/libpq/be-secure.c:open_server_SSL ),
stores it in port->peer_dn, and never uses it after that.
We can treat this verification as some kind of IDENT authentication method.
The idea is to use client's 'subject' as ident-username key during ident
hostssl all koug 0/0 ident sslcert
hostssl all dba 0/0 ident sslcert
Client that have valid certificate with this 'subject' line can make
to database server as koug or dba - without having IDENT server on his
It becomes impossible to use ssl connection and IDENT via TCP/IP
protocol at the same time.
I think it's positive consequence of the method proposed.
It's rather strange to rely on insecure IDENT via TCP/IP for
authentication of secured connection.
Only one function src/backend/libpq/hba.c:authident should be modified.
Patch attached has been made for 8.2beta3.
Same modification of authident has been tested against 8.1.5 too.
pgsql-patches by date
|Next:||From: Simon Riggs||Date: 2006-11-17 09:40:12|
|Subject: Re: [HACKERS] Extended protocol logging|
|Previous:||From: Mario Weilguni||Date: 2006-11-17 08:50:33|
|Subject: Re: Cast null to int4 upgrading from Version 7.2|