On 16 nov 2008, at 01.00, "Alex Hunsaker" <badalex@gmail.com> wrote:
> On Thu, Nov 13, 2008 at 05:31, Magnus Hagander <magnus@hagander.net>
> wrote:
>> Attached patch implements client certificate authentication.
>>
>> I kept this sitting in my tree without sending it in before the
>> commitfest because it is entirely dependent on the
>> not-yet-reviewed-and-applied patch for how to configure client
>> certificate requesting. But now that I learned how to do it right in
>> git, breaking it out was very easy :-) Good learning experience.
>>
>> Anyway. Here it is. Builds on top of the "clientcert option for
>> pg_hba"
>> patch already on the list.
>
> Patch looks good to me and works as described.
>
> Would cncert be a better auth_method name? As later we might have
> different types of ssl client cert authentication??
If/when I'd rather still call it cert, and use an authentication
option to control which field is matched against.
> My only concern is there is no way to specify the USER_CERT_FILE for
> libpq. So if for example I have two users that I want to use cert
> authentication for I really have to have to users on the system (or i
> guess maybe you could fake HOME=... psql -U other_user). Or am I
While not directly related to this patch, that is a very good point.
We have PGSSLKEY but not PGSSLCERT. Could certainly be worth adding.
>
> missing a way around this? (granted this might be a non-issue for now
> as you can use trust clientcert=1 in pg_hba.conf with your other
> patch?)
Yes, you can use that but the usecase is extremely limited. It only
works if these are the *only* two users with certificates...
-Magnus