Andrew Sullivan wrote:
>On Sat, Oct 15, 2005 at 06:04:54PM -0700, Chris Travers wrote:
>
>
>>Out of curiosity, what is wrong with requiring client SSL certs to
>>access the system and only issuing them to the PGPool system (or using a
>>different CA if you need to issue client certs to the end users)? This
>>
>>
>
>Hmm, I like this, although client SSL certs still didn't work with
>JDBC last I checked, so it won't solve all the problems. But you're
>right, this would mostly solve the problem I was thinking of,
>provided it was described correctly to the (mostly-clueless)
>technology rule-producers.
>
Oops. I guess PgPool doesn't support SSL connections to backend
servers. Too bad :-( This would have been a really nice elegant
solution to this problem. It looks like PgCluster may support SSL, I am
not sure.... The problem is that one needs some way of authenticating
the client not just the user. SSL would work for that.
I can't think of any other way to authenticate the client while still
allowing one to authenticate the user afterwards... And I doubt that it
is possible to use Kerberos to authenticate the daemon as well as the
end user...
Best Wishes,
Chris Travers
Metatron Technology Consulting