| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: "cert" + clientcert=verify-ca in pg_hba.conf? |
| Date: | 2020-08-25 01:49:40 |
| Message-ID: | 20200825014940.GA32540@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Aug 25, 2020 at 10:41:26AM +0900, Kyotaro Horiguchi wrote:
> At Mon, 24 Aug 2020 20:01:26 -0400, Bruce Momjian <bruce(at)momjian(dot)us> wrote in
> > I have slightly adjusted the doc part of the patch, attached.
>
> Thanks.
>
> In a <filename>pg_hba.conf</filename> record specifying certificate
> - authentication, the authentication option <literal>clientcert</literal> is
> - assumed to be <literal>verify-ca</literal> or <literal>verify-full</literal>,
> - and it cannot be turned off since a client certificate is necessary for this
> - method. What the <literal>cert</literal> method adds to the basic
> - <literal>clientcert</literal> certificate validity test is a check that the
> - <literal>cn</literal> attribute matches the database user name.
> + authentication, the only valid value for <literal>clientcert</literal>
> + is <literal>verify-full</literal>, and this has no affect since it
> + just duplicates <literal>client</literal> authentication's behavior.
>
> I read it as "it can be specified (without an error), but actually
> does nothing". If it is the correct reading, I prefer to mention that
> incompatible values cause an error.
Well, when I say "the only valid value", that means any other value is
invalid, and hence will generate an error.
> > > Related to that, pg_hba.conf accepts the combination of "cert" method
> > > and the option clientcert="verify-ca" but it is ignored. We should
> > > reject that combination the same way with "cert"+"no-verify".
> >
> > Are you saying we should _require_ clientcert=verify-full when 'cert'
> > authentication is used? I don't see the point of that --- I just
> > updated the docs to say doing so was duplicate behavior.
>
> I don't suggest changing the current behavior. I'm saying it is the
> way it is working and we should correctly error-out that since it
> doesn't work as specified.
Uh, I don't understand what 'combination the same way with
"cert"+"no-verify"'. Right now, cert with no clientcert/verify line
works just fine. Is "no-verify" something special? Are you saying it
is any random string that would generate an error?
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EnterpriseDB https://enterprisedb.com
The usefulness of a cup is in its emptiness, Bruce Lee
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kyotaro Horiguchi | 2020-08-25 02:00:49 | Re: "cert" + clientcert=verify-ca in pg_hba.conf? |
| Previous Message | Kyotaro Horiguchi | 2020-08-25 01:41:26 | Re: "cert" + clientcert=verify-ca in pg_hba.conf? |