作者
digoal
日期
2021-03-30
标签
PostgreSQL , RFC2253 , ssl , dn , cn
背景
PostgreSQL 数据库服务器可以防客户端伪装, 其中cert和verify-full都需要校验客户端连接的数据库username是否和客户端证书中的CN value是否匹配.
PostgreSQL 14 新增 clientname =CN或DN 的 auth-options 配置. 通常clientname = DN 可以 结合username mapping使用.
《PostgreSQL openssl - multi cn 给SSL证书绑定多个CN hostname - 公网 HOSTNAME + 私网 HSOTNAME》
《[珍藏级] PostgreSQL ssl 证书配置 - 防止中间攻击者 - 以及如何使用证书无密码登录配置cert》
https://www.postgresql.org/docs/devel/ssl-tcp.html
https://www.postgresql.org/docs/devel/auth-pg-hba-conf.html
https://tools.ietf.org/html/rfc2253
```
hostssl database user address auth-method [auth-options]
hostssl all all 0.0.0.0/0 cert # 如果不配置clientname则默认clientname=CN
hostssl all all 0.0.0.0/0 clientcert=verify-full # 如果不配置clientname则默认clientname=CN
hostssl all all 0.0.0.0/0 cert clientname=CN
hostssl all all 0.0.0.0/0 cert clientname=DN
hostssl all all 0.0.0.0/0 clientcert=verify-full clientname=CN
hostssl all all 0.0.0.0/0 clientcert=verify-full clientname=DN
```
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=6d7a6feac48b1970c4cd127ee65d4c487acbb5e9
```
Allow matching the DN of a client certificate for authentication
author Andrew Dunstan andrew@dunslane.net
Mon, 29 Mar 2021 19:31:22 +0000 (15:31 -0400)
committer Andrew Dunstan andrew@dunslane.net
Mon, 29 Mar 2021 19:49:39 +0000 (15:49 -0400)
commit 6d7a6feac48b1970c4cd127ee65d4c487acbb5e9
tree 8728162431269b3ae654eddb1d3a8e1c99972ec3 tree
parent efcc7572f532ea564fedc6359c2df43045ee7908 commit | diff
Allow matching the DN of a client certificate for authentication
Currently we only recognize the Common Name (CN) of a certificate's
subject to be matched against the user name. Thus certificates with
subjects '/OU=eng/CN=fred' and '/OU=sales/CN=fred' will have the same
connection rights. This patch provides an option to match the whole
Distinguished Name (DN) instead of just the CN. On any hba line using
client certificate identity, there is an option 'clientname' which can
have values of 'DN' or 'CN'. The default is 'CN', the current procedure.
The DN is matched against the RFC2253 formatted DN, which looks like
'CN=fred,OU=eng'.
This facility of probably best used in conjunction with an ident map.
Discussion: https://postgr.es/m/92e70110-9273-d93c-5913-0bccb6562740@dunslane.net
Reviewed-By: Michael Paquier, Daniel Gustafsson, Jacob Champion
```
相关文档
https://www.postgresql.org/docs/devel/auth-pg-hba-conf.html
auth-options
After the auth-method field, there can be field(s) of the form name=value that specify options for the authentication method. Details about which options are available for which authentication methods appear below.
In addition to the method-specific options listed below, there is a method-independent authentication option clientcert, which can be specified in any hostssl record. This option can be set to verify-ca or verify-full. Both options require the client to present a valid (trusted) SSL certificate, while verify-full additionally enforces that the cn (Common Name) in the certificate matches the username or an applicable mapping. This behavior is similar to the cert authentication method (see Section 21.12) but enables pairing the verification of client certificates with any authentication method that supports hostssl entries.
On any record using client certificate authentication (i.e. one using the cert authentication method or one using the clientcert option), you can specify which part of the client certificate credentials to match using the clientname option. This option can have one of two values. If you specify clientname=CN, which is the default, the username is matched against the certificate's Common Name (CN). If instead you specify clientname=DN the username is matched against the entire Distinguished Name (DN) of the certificate. This option is probably best used in conjunction with a username map. The comparison is done with the DN in RFC 2253 format. To see the DN of a client certificate in this format, do
openssl x509 -in myclient.crt -noout --subject -nameopt RFC2253 | sed "s/^subject=//"
Care needs to be taken when using this option, especially when using regular expression matching against the DN.
PostgreSQL 许愿链接
您的愿望将传达给PG kernel hacker、数据库厂商等, 帮助提高数据库产品质量和功能, 说不定下一个PG版本就有您提出的功能点. 针对非常好的提议,奖励限量版PG文化衫、纪念品、贴纸、PG热门书籍等,奖品丰富,快来许愿。开不开森.
9.9元购买3个月阿里云RDS PostgreSQL实例
PostgreSQL 解决方案集合
德哥 / digoal's github - 公益是一辈子的事.
