Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist - Mailing list pgsql-hackers

From Jim Jones
Subject Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist
Date
Msg-id c9e5b368-29af-61f8-d3ae-aa6b6fc69f50@uni-muenster.de
Whole thread Raw
In response to Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist  (Israel Barth Rubio <barthisrael@gmail.com>)
Responses Re: Authentication fails for md5 connections if ~/.postgresql/postgresql.{crt and key} exist
List pgsql-hackers
Hello Israel,

Thanks a lot for the suggestion!

 > I do not think it is worth it to change the current behavior of 
PostgreSQL
 > in that sense.

Well, I am not suggesting to change the current behavior of PostgreSQL in
that matter. Quite the contrary, I find this feature very convenient,
specially when you need to deal with many different clusters. What I am
proposing is rather the possibility to disable it on demand :) I mean,
in case I do not want libpq to try to authenticate using the certificates
in `~/.postgresql`.

 > PostgreSQL looks for the cert and key under `~/.postgresql` as a 
facility.
 > These files do not exist by default, so if PostgreSQL finds something in
 > there it assumes you want to use it.

Yes. I'm just trying to find an elegant way to disable this assumption 
on demand.

 > I also think it is correct in the sense of choosing the certificate over
 > a password based authentication when it finds a certificate as the cert
 > based would provide you with stronger checks.

I couldn't agree more.

 > It would require that you move the SSL cert and key from 
`~/.postgresql` to
 > somewhere else and specify `sslcert` and `sslkey` in the expected 
service in the
 > `~/.pg_service.conf` file.

That's exactly what I am trying to avoid. IOW, I want to avoid having to 
move
the cert files to another path and consequently having to configure 30
different entries in the pg_service.conf because of a single server that
does not support ssl authentication.

I do realize that this patch is a big ask, since probably nobody except 
me "needs it" :D

Thanks again for the message. Much appreciated!

Best,

Jim

Attachment

pgsql-hackers by date:

Previous
From: "Takamichi Osumi (Fujitsu)"
Date:
Subject: RE: Time delayed LR (WAS Re: logical replication restrictions)
Next
From: Alvaro Herrera
Date:
Subject: Re: Doc: Rework contrib appendix -- informative titles, tweaked sentences