| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Isaac Morland <isaac(dot)morland(at)gmail(dot)com> |
| Cc: | Thomas Berger <thomas(dot)berger(at)1und1(dot)de>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Usage of the system truststore for SSL certificate validation |
| Date: | 2019-09-28 19:59:00 |
| Message-ID: | 20190928195900.GA1377@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Sep 19, 2019 at 12:26:27PM -0400, Isaac Morland wrote:
> If we're going to open this up, can we add an option to say "this key is
> allowed to log in to this account", SSH style?
>
> I like the idea of using keys rather than .pgpass, but I like the ~/.ssh/
> authorized_keys model and don't like the "set up an entire certificate
> infrastructure" approach.
This is actually a good question --- why does ssh do it that way and
Postgres does it another, more like a web server/client. Maybe it is
because ssh allows the user to create one key pair, and use it for
several independent servers, while Postgres assumes the client will only
connect to multiple related servers controlled by the same CA. With the
Postgres approach, you can change the client certificate with no changes
on the server, while with the ssh model, changing the client certificate
requires sending the public key to the ssh server to be added to
~/.ssh/authorized_keys.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2019-09-28 20:37:43 | Re: Possible bug: SQL function parameter in window frame definition |
| Previous Message | Tomas Vondra | 2019-09-28 19:09:17 | Re: PATCH: logical_work_mem and logical streaming of large in-progress transactions |