Thread: SSL cert client authentication

SSL cert client authentication

From
Gleb Kouzmenko
Date:
I propose to authenticate client via verification of its SSL certificate.

IDEA.

Recent versions of PostgreSQL database server can verify client's SSL
certificate (via server's root.crt now).
Server gets 'subject' line of verified client certificate
( in src/backend/libpq/be-secure.c:open_server_SSL ),
stores it in port->peer_dn, and never uses it after that.

We can treat this verification as some kind of IDENT authentication method.
The idea is to use client's 'subject' as ident-username key during ident
map lookup.


EXAMPLE.

pg_hba.conf:

hostssl all koug      0/0  ident sslcert
hostssl all dba       0/0  ident sslcert

pg_ident.conf:

sslcert "/C=RU/ST=Tmutarakan/O=Kremlin/CN=Gleb
Kouzmenko/emailAddress=undisclosed@domain.org" koug
sslcert "/C=RU/ST=Tmutarakan/O=Kremlin/CN=Gleb
Kouzmenko/emailAddress=undisclosed@domain.org" dba


Client that have valid certificate with this 'subject' line can make
secure connection
to database server as koug or dba - without having IDENT server on his
computer.


DRAWBACK.

It becomes impossible to use ssl connection and IDENT via TCP/IP
protocol at the same time.
I think it's positive consequence of the method proposed.
It's rather strange to rely on insecure IDENT via TCP/IP for
authentication of secured connection.


SOLUTION.
Only one function src/backend/libpq/hba.c:authident should be modified.
Patch attached has been made for 8.2beta3.
Same modification of authident has been tested against 8.1.5 too.



Gleb Kouzmenko

*** src/backend/libpq/hba.c    2006-11-06 01:42:08.000000000 +0300
--- src/backend/libpq/hba.c    2006-11-16 15:42:29.000000000 +0300
***************
*** 1587,1593 ****
  int
  authident(hbaPort *port)
  {
!     char        ident_user[IDENT_USERNAME_MAX + 1];

      switch (port->raddr.addr.ss_family)
      {
--- 1587,1594 ----
  int
  authident(hbaPort *port)
  {
!     char        buf[IDENT_USERNAME_MAX + 1];
!     char        *ident_user    = buf;

      switch (port->raddr.addr.ss_family)
      {
***************
*** 1595,1608 ****
--- 1596,1625 ----
  #ifdef    HAVE_IPV6
          case AF_INET6:
  #endif
+ #ifdef    USE_SSL
+             if (port->peer != NULL)
+             {
+                 ident_user = port->peer_dn;
+                 ereport(DEBUG2,
+                     (errmsg("Client SSL certificate subject identifies remote user as \"%s\"",
+                         ident_user)));
+                 break;
+             }
+ #endif
              if (!ident_inet(port->raddr, port->laddr, ident_user))
                  return STATUS_ERROR;
+             ereport(DEBUG2,
+                 (errmsg("Ident protocol identifies remote user as \"%s\"",
+                     ident_user)));
              break;

  #ifdef HAVE_UNIX_SOCKETS
          case AF_UNIX:
              if (!ident_unix(port->sock, ident_user))
                  return STATUS_ERROR;
+             ereport(DEBUG2,
+                 (errmsg("Local kernel identifies user as \"%s\"",
+                     ident_user)));
              break;
  #endif

***************
*** 1610,1618 ****
              return STATUS_ERROR;
      }

-     ereport(DEBUG2,
-             (errmsg("Ident protocol identifies remote user as \"%s\"",
-                     ident_user)));

      if (check_ident_usermap(port->auth_arg, port->user_name, ident_user))
          return STATUS_OK;
--- 1627,1632 ----