Обсуждение: pgsql: Allow matching the DN of a client certificate for authentication
Allow matching the DN of a client certificate for authentication Currently we only recognize the Common Name (CN) of a certificate's subject to be matched against the user name. Thus certificates with subjects '/OU=eng/CN=fred' and '/OU=sales/CN=fred' will have the same connection rights. This patch provides an option to match the whole Distinguished Name (DN) instead of just the CN. On any hba line using client certificate identity, there is an option 'clientname' which can have values of 'DN' or 'CN'. The default is 'CN', the current procedure. The DN is matched against the RFC2253 formatted DN, which looks like 'CN=fred,OU=eng'. This facility of probably best used in conjunction with an ident map. Discussion: https://postgr.es/m/92e70110-9273-d93c-5913-0bccb6562740@dunslane.net Reviewed-By: Michael Paquier, Daniel Gustafsson, Jacob Champion Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/6d7a6feac48b1970c4cd127ee65d4c487acbb5e9 Modified Files -------------- doc/src/sgml/client-auth.sgml | 24 +++++++++++++- src/backend/libpq/auth.c | 34 +++++++++++++++---- src/backend/libpq/be-secure-openssl.c | 61 ++++++++++++++++++++++++++++++++--- src/backend/libpq/be-secure.c | 5 +-- src/backend/libpq/hba.c | 31 ++++++++++++++++++ src/include/libpq/hba.h | 7 ++++ src/include/libpq/libpq-be.h | 1 + src/test/ssl/Makefile | 9 +++++- src/test/ssl/client-dn.config | 16 +++++++++ src/test/ssl/ssl/client-dn.crt | 19 +++++++++++ src/test/ssl/ssl/client-dn.key | 27 ++++++++++++++++ src/test/ssl/t/001_ssltests.pl | 34 +++++++++++++++++-- src/test/ssl/t/SSLServer.pm | 16 +++++++++ 13 files changed, 266 insertions(+), 18 deletions(-)
On 3/29/21 3:50 PM, Andrew Dunstan wrote: > Allow matching the DN of a client certificate for authentication > > Currently we only recognize the Common Name (CN) of a certificate's > subject to be matched against the user name. Thus certificates with > subjects '/OU=eng/CN=fred' and '/OU=sales/CN=fred' will have the same > connection rights. This patch provides an option to match the whole > Distinguished Name (DN) instead of just the CN. On any hba line using > client certificate identity, there is an option 'clientname' which can > have values of 'DN' or 'CN'. The default is 'CN', the current procedure. > > The DN is matched against the RFC2253 formatted DN, which looks like > 'CN=fred,OU=eng'. > > This facility of probably best used in conjunction with an ident map. > > Discussion: https://postgr.es/m/92e70110-9273-d93c-5913-0bccb6562740@dunslane.net > > Reviewed-By: Michael Paquier, Daniel Gustafsson, Jacob Champion Belated credit where it's due: this work was originally based on a patch from Kosmas Valianos of AppGate. cheers andrew
Re: pgsql: Allow matching the DN of a client certificate for authentication
От
Daniel Gustafsson
Дата:
> On 29 Mar 2021, at 21:50, Andrew Dunstan <andrew@dunslane.net> wrote: > > Allow matching the DN of a client certificate for authentication A small typo snuck in with this commit: diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile index 0d6d237e7c..ecc3fe1f2e 100644 --- a/src/test/ssl/Makefile +++ b/src/test/ssl/Makefile @@ -235,7 +235,7 @@ ssl/client.crt: ssl/client.key ssl/client_ca.crt rm ssl/client.csr ssl/temp.crt -# Client certificate with multi-parth DN, signed by the client CA: +# Client certificate with multi-part DN, signed by the client CA: ssl/client-dn.crt: ssl/client-dn.key ssl/client_ca.crt openssl req -new -key ssl/client-dn.key -out ssl/client-dn.csr -config client-dn.config openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-dn.csr -- Daniel Gustafsson https://vmware.com/