| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Martin Pitt <mpitt(at)debian(dot)org>, pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt |
| Date: | 2009-04-10 17:56:14 |
| Message-ID: | 49DF883E.7060002@hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Tom Lane wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> Tom Lane wrote:
>>> In the first place, I have never seen such a prompt, despite the fact
>>> that I use ssh constantly to connect to machines that I know do not have
>>> properly signed certificates.
>
>> *really*? Here's what I get as an example (after removing the trust):
>
>> ha(at)mha-laptop:~/.ssh$ ssh cvs.postgresql.org
>> The authenticity of host 'cvs.postgresql.org (217.196.146.206)' can't be
>> established.
>> DSA key fingerprint is 54:27:10:f3:48:0a:f0:b6:c3:14:79:7e:49:c0:75:f3.
>> Are you sure you want to continue connecting (yes/no)? ^C
>
> This simply tells you that the machine has a new key since last time you
> talked to it. It doesn't have anything to do with whether the machine's
> cert has been signed by anybody. It also doesn't prevent you from
> operating without a root.crt file of your own.
SSH doesn't have certificates. The trusted key is as close as you get.
You can compare it to ssl with *only* self-signed-certificate. Where it
prompts you to authenticate the fingerprint of said
self-signed-certificate.
They do it through a prompt. We do it through a file. But as long as you
in pg only deal with self-signed certs, the outcome is pretty much the same.
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2009-04-10 18:21:23 | Re: Re: [BUGS] BUG #4027: backslash escaping notdisabled inplpgsql |
| Previous Message | Tom Lane | 2009-04-10 17:38:56 | Re: libpq 8.4 beta1: $PGHOST complains about missing root.crt |