[PATCH] pg_hba.conf : new auth option : clientcert=verify-full

From: Julian Markwort <julian(dot)markwort(at)uni-muenster(dot)de>
To: pgsql-hackers(at)postgresql(dot)org
Cc: arne(dot)scheffer(at)uni-muenster(dot)de
Subject: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full
Date: 2018-02-16 15:45:28
Message-ID: 1518795928.3365.24.camel@uni-muenster.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Dear Postgresql Hackers,

as of now, pg_hba.conf allows us to enable authentification by
certificate through the auth-method "cert", in which case the user must
provide a valid certificate with a certificate common name(CN) matching
the database user's name or an entry in a pg_ident map.

Additionaly, for every other auth-method it is possible to set the
auth-option "clientcert=1", so clients must present a valid certificate
at login. The logic behind this only checks the validity of the
certificate itself, but the certificate common name(CN) is not
relevant.

I wrote a very small patch that adds another auth-option:
- clientcert=verify-full (analogous to server certificates; you could
also use 2 instead of verify-full for backwards compatibility, or
verify-ca instead of 1)
which also checks the certificate common name,
so all 3 factors get checked:
1.) auth-method, e.g. scram or md5 password passes
2.) client cert is in truststore
3.) CN is correct.

(The patch simply makes use of the function that is used for auth-
method "cert" to avoid code duplication).

Have a nice weekend,
Julian Markwort

Attachment Content-Type Size
clientcert_verify-full_v01.patch text/x-patch 1.9 KB

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Petr Jelinek 2018-02-16 16:04:33 Re: After an error - pg_replication_slot is dropped
Previous Message Peter Eisentraut 2018-02-16 15:39:40 Re: spelling of enable_partition_wise_join