On 16 nov 2008, at 01.00, "Alex Hunsaker" <[EMAIL PROTECTED]> wrote:
On Thu, Nov 13, 2008 at 05:31, Magnus Hagander <[EMAIL PROTECTED]>
wrote:
Attached patch implements client certificate authentication.
I kept this sitting in my tree without sending it in before the
commitfest because it is entirely dependent on the
not-yet-reviewed-and-applied patch for how to configure client
certificate requesting. But now that I learned how to do it right in
git, breaking it out was very easy :-) Good learning experience.
Anyway. Here it is. Builds on top of the "clientcert option for
pg_hba"
patch already on the list.
Patch looks good to me and works as described.
Would cncert be a better auth_method name? As later we might have
different types of ssl client cert authentication??
If/when I'd rather still call it cert, and use an authentication
option to control which field is matched against.
My only concern is there is no way to specify the USER_CERT_FILE for
libpq. So if for example I have two users that I want to use cert
authentication for I really have to have to users on the system (or i
guess maybe you could fake HOME=... psql -U other_user). Or am I
While not directly related to this patch, that is a very good point.
We have PGSSLKEY but not PGSSLCERT. Could certainly be worth adding.
missing a way around this? (granted this might be a non-issue for now
as you can use trust clientcert=1 in pg_hba.conf with your other
patch?)
Yes, you can use that but the usecase is extremely limited. It only
works if these are the *only* two users with certificates...
-Magnus
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
