From: | Israel Barth Rubio <barthisrael(at)gmail(dot)com> |
---|---|
To: | Jim Jones <jim(dot)jones(at)uni-muenster(dot)de> |
Cc: | Jelte Fennema <postgres(at)jeltef(dot)nl>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist |
Date: | 2023-01-19 21:12:44 |
Message-ID: | CAO_rXXCdp2RXAGY6j9sRygCR1R8nZBketJKSNq1V+Uj5ou63Ug@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hello Jim,
> Hi Jelte, thanks for the message. You're right, an invalid cert path
> does solve the issue - I even use it for tests. Although it solves the
> authentication issue it still looks in my eyes like a non intuitive
> workaround/hack. Perhaps a new sslmode isn't the right place for this
> "feature"? Thanks again for the suggestion!
I do not think it is worth it to change the current behavior of PostgreSQL
in that sense.
PostgreSQL looks for the cert and key under `~/.postgresql` as a facility.
These files do not exist by default, so if PostgreSQL finds something in
there it assumes you want to use it.
I also think it is correct in the sense of choosing the certificate over
a password based authentication when it finds a certificate as the cert
based would provide you with stronger checks.
I believe that using libpq services would be a better approach if you
want to connect to several PostgreSQL clusters from the very same
source machine. That way you would specify whatever is specific to each
target cluster in a centralized configuration file and just reference each
target cluster by its service name in the connection string. It would
require that you move the SSL cert and key from `~/.postgresql` to somewhere
else and specify `sslcert` and `sslkey` in the expected service in the
`~/.pg_service.conf` file.
More info about that can be found at:
https://www.postgresql.org/docs/current/libpq-pgservice.html
Best regards,
Israel.
>
From | Date | Subject | |
---|---|---|---|
Next Message | Tomas Vondra | 2023-01-19 21:19:10 | Re: Use fadvise in wal replay |
Previous Message | Dmitry Koval | 2023-01-19 21:11:58 | Re: Operation log for major operations |