Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist - Mailing list pgsql-hackers

From Israel Barth Rubio
Subject Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist
Date
Msg-id CAO_rXXCdp2RXAGY6j9sRygCR1R8nZBketJKSNq1V+Uj5ou63Ug@mail.gmail.com
Whole thread Raw
In response to Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist  (Jim Jones <jim.jones@uni-muenster.de>)
Responses Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist
List pgsql-hackers
Hello Jim,

> Hi Jelte, thanks for the message. You're right, an invalid cert path
> does solve the issue - I even use it for tests. Although it solves the
> authentication issue it still looks in my eyes like a non intuitive
> workaround/hack. Perhaps a new sslmode isn't the right place for this
> "feature"? Thanks again for the suggestion!

I do not think it is worth it to change the current behavior of PostgreSQL
in that sense.

PostgreSQL looks for the cert and key under `~/.postgresql` as a facility.
These files do not exist by default, so if PostgreSQL finds something in
there it assumes you want to use it.

I also think it is correct in the sense of choosing the certificate over
a password based authentication when it finds a certificate as the cert
based would provide you with stronger checks.

I believe that using libpq services would be a better approach if you
want to connect to several PostgreSQL clusters from the very same
source machine. That way you would specify whatever is specific to each
target cluster in a centralized configuration file and just reference each
target cluster by its service name in the connection string. It would
require that you move the SSL cert and key from `~/.postgresql` to somewhere
else and specify `sslcert` and `sslkey` in the expected service in the
`~/.pg_service.conf` file.

More info about that can be found at:

https://www.postgresql.org/docs/current/libpq-pgservice.html

Best regards,
Israel.

pgsql-hackers by date:

Previous
From: Dmitry Koval
Date:
Subject: Re: Operation log for major operations
Next
From: Tomas Vondra
Date:
Subject: Re: Use fadvise in wal replay