Postgres Pro
Downloads
Home   >   mailing lists

Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full - Mailing list pgsql-hackers

From Julian Markwort
Subject Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full
Date
Msg-id 1521816315.7982.22.camel@uni-muenster.de
Whole thread Raw
In response to Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full  (Magnus Hagander <magnus@hagander.net>)
Responses Re: [PATCH] pg_hba.conf : new auth option : clientcert=verify-full  (Magnus Hagander <magnus@hagander.net>)
List pgsql-hackers
Tree view
On Sat, 2018-03-17 at 18:24 +0100, Magnus Hagander wrote:
The error message "certificate authentication failed for user XYZ:
client certificate contains no user name" is the result of calling
CheckCertAuth when the user presented a certificate without a CN in it.

That is arguably wrong, since it's actually password authentication that fails. That is the authentication type that was picked in pg_hba.conf. It's more "certificate validation" that failed.

I think we got confused about this; maybe I didn't graps it fully before: CheckCertAuth is currently only called when auth method cert is used. So it actually makes sense to say that certificate authentication failed, I think.

I agree that the log message is useful. Though it could be good to clearly indicate that it was caused specifically because of the verify-full, to differentiate it from other cases of the same message.
I've modified my patch so it still uses CheckCertAuth, but now a different message is written to the log when clientcert=verify-full was used.
For auth method cert, the function should behave as before.

For example, what about the scenario where I use GSSAPI authentication and clientcert=verify-full. Then we suddenly have three usernames (gssapi, certificate and specified) -- how is the user supposed to know which one came from the cert and which one came from gssapi for example?
The user will only see what's printed in the auth_failed() function in auth.c with the addition of the logdetail string, which I don't touch with this patch.
As you said, it makes sense that more detailed information is only available in the server's log.

I've attached an updated version of the patch.
I'm not sure if it is preferred to keep patches as short as possible (mostly with respect to the changed lines in the documentation) or to organize changes so that the text matches the surrounding column width und text flow? Also, I've omitted mentions of the current usage 'clientcert=1' - this is still supported in code, but I think telling new users only about 'clientcert=verify-ca' and 'clientcert=verify-full' is clearer. Or am I wrong on this one?

Greetings
Julian
Attachment

pgsql-hackers by date:

Previous
From: Ashutosh Bapat
Date:
Subject: Re: Odd procedure resolution
Next
From: Haribabu Kommi
Date:
Subject: Re: PQHost() undefined behavior if connecting string contains bothhost and hostaddr types