From: | Jim Jones <jim(dot)jones(at)uni-muenster(dot)de> |
---|---|
To: | Israel Barth Rubio <barthisrael(at)gmail(dot)com> |
Cc: | Jelte Fennema <postgres(at)jeltef(dot)nl>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist |
Date: | 2023-01-20 19:09:42 |
Message-ID: | c9e5b368-29af-61f8-d3ae-aa6b6fc69f50@uni-muenster.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hello Israel,
Thanks a lot for the suggestion!
> I do not think it is worth it to change the current behavior of
PostgreSQL
> in that sense.
Well, I am not suggesting to change the current behavior of PostgreSQL in
that matter. Quite the contrary, I find this feature very convenient,
specially when you need to deal with many different clusters. What I am
proposing is rather the possibility to disable it on demand :) I mean,
in case I do not want libpq to try to authenticate using the certificates
in `~/.postgresql`.
> PostgreSQL looks for the cert and key under `~/.postgresql` as a
facility.
> These files do not exist by default, so if PostgreSQL finds something in
> there it assumes you want to use it.
Yes. I'm just trying to find an elegant way to disable this assumption
on demand.
> I also think it is correct in the sense of choosing the certificate over
> a password based authentication when it finds a certificate as the cert
> based would provide you with stronger checks.
I couldn't agree more.
> It would require that you move the SSL cert and key from
`~/.postgresql` to
> somewhere else and specify `sslcert` and `sslkey` in the expected
service in the
> `~/.pg_service.conf` file.
That's exactly what I am trying to avoid. IOW, I want to avoid having to
move
the cert files to another path and consequently having to configure 30
different entries in the pg_service.conf because of a single server that
does not support ssl authentication.
I do realize that this patch is a big ask, since probably nobody except
me "needs it" :D
Thanks again for the message. Much appreciated!
Best,
Jim
From | Date | Subject | |
---|---|---|---|
Next Message | Alvaro Herrera | 2023-01-20 19:12:03 | Re: Doc: Rework contrib appendix -- informative titles, tweaked sentences |
Previous Message | Takamichi Osumi (Fujitsu) | 2023-01-20 19:07:30 | RE: Time delayed LR (WAS Re: logical replication restrictions) |