Add support for using SSL client certificates to authenticate to the

database (only for SSL connections, obviously).
2025-07-28 23:42:10 +03:00 · 2008-11-20 11:48:26 +00:00
parent 3c486fbd1c
commit f179d5ea99
6 changed files with 120 additions and 14 deletions
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.111 2008/11/18 13:10:20 petere Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.112 2008/11/20 11:48:26 mha Exp $ -->

 <chapter id="client-authentication">
 <title>Client Authentication</title>
@ -387,6 +387,16 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
        </listitem>
       </varlistentry>

+       <varlistentry>
+        <term><literal>cert</></term>
+        <listitem>
+         <para>
+          Authenticate using SSL client certificates. See
+          <xref linkend="auth-cert"> for details.
+         </para>
+        </listitem>
+       </varlistentry>
+
       <varlistentry>
        <term><literal>pam</></term>
        <listitem>
@ -1114,6 +1124,25 @@ ldapserver=ldap.example.net prefix="cn=" suffix="dc=example, dc=net"

  </sect2>

+  <sect2 id="auth-cert">
+   <title>Certificate authentication</title>
+
+   <indexterm zone="auth-cert">
+    <primary>Certificate</primary>
+   </indexterm>
+
+   <para>
+    This authentication method uses SSL client certificates to perform
+    authentication. It is therefore only available for SSL connections.
+    When using this authentication method, the server will require that
+    the client provide a certificate. No password prompt will be sent
+    to the client. The <literal>cn</literal> attribute of the certificate
+    will be matched with the username the user is trying to log in as,
+    and if they match the login will be allowed. Username mapping can be
+    used if the usernames don't match.
+   </para>
+  </sect2>
+
  <sect2 id="auth-pam">
   <title>PAM authentication</title>

--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.421 2008/11/20 09:29:35 mha Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.422 2008/11/20 11:48:26 mha Exp $ -->

 <chapter Id="runtime">
 <title>Operating System Environment</title>
@ -1674,11 +1674,9 @@ $ <userinput>kill -INT `head -1 /usr/local/pgsql/data/postmaster.pid`</userinput
  </para>

  <para>
-   <productname>PostgreSQL</> currently does not support authentication
-   using client certificates, since it cannot differentiate between
-   different users. As long as the user holds any certificate issued
-   by a trusted CA it will be accepted, regardless of what account the
-   user is trying to connect with.
+   You can use the authentication method <literal>cert</> to use the
+   client certificate for authenticating users. See
+   <xref linkend="auth-cert"> for details.
  </para>
  </sect2>