Postgres Pro
Downloads
Home   >   mailing lists

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full - Mailing list pgsql-hackers

From Julian Markwort
Subject Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full
Date
Msg-id 1520601113.1243.22.camel@uni-muenster.de
Whole thread Raw
In response to Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full  (Magnus Hagander <magnus@hagander.net>)
Responses Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full  (Magnus Hagander <magnus@hagander.net>)
List pgsql-hackers
Tree view 
Hello Magnus,

> I think this makes a lot of sense, and can definitely be a useful
> option.

I was hesistant to write a long and elaborate patch as I wasn't certain
if there was any interest for such an addition, but I'm thankful for
your input.

> However, the patch is completely lacking documentation, which
> obviously make it a no-starter.

I'll write the missing documentation shortly.

> Also if I read it right, if the CN is not correct, it will give the
> error message "certificate authentication failed for user ...". I
> realize this comes from the re-use of the code, but I don't think
> this makes it very useful. We  need to separate these two things.

The error message "certificate authentication failed for user XYZ:
client certificate contains no user name" is the result of calling
CheckCertAuth when the user presented a certificate without a CN in it.

The error message that is presented to the user upon trying to connect
with a certificate containing a CN other than the username is:

---------------------
psql: FATAL: password authentication failed for user "nottestuser"
---------------------

The server's log contains the lines:

---------------------
2018-03-09 13:06:43.111 CET [3310] LOG:  provided user name
(nottestuser) and authenticated user name (testuser) do not match
2018-03-09 13:06:43.111 CET [3310] FATAL:  password authentication
failed for user "nottestuser"
2018-03-09 13:06:43.111 CET [3310] DETAIL:  Connection matched
pg_hba.conf line 97: "hostssl all nottestuser 127.0.0.1/32 password
clientcert=verify-full"
---------------------

I'd argue that the message in the log file is consistent and useful,
however the message given by psql (or any libpq application for that
matter) leaves uncertainty regarding the correctness of a provided
password, for example.
I could attach the log message of CheckCertAuth to the logdetail,
however then I'd have issues if there is already something written to
the logdetail.
I could also use an additional ereport() call whenever clientcert was
set to verify-full and the user name didn't match the CN.

Kind regards
Julian
Attachment

pgsql-hackers by date:

Previous
From: Masahiko Sawada
Date:
Subject: Re: [HACKERS] GUC for cleanup indexes threshold.
Next
From: Peter Eisentraut
Date:
Subject: Re: FOR EACH ROW triggers on partitioned tables