Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pgwire/hba: support pg's clientcert methodoption #45953

Open
knz opened this issue Mar 10, 2020 · 6 comments
Open

pgwire/hba: support pg's clientcert methodoption #45953

knz opened this issue Mar 10, 2020 · 6 comments
Labels
A-authentication Pertains to authn subsystems A-cc-enablement Pertains to current CC production issues or short-term projects A-security A-sql-pgwire pgwire protocol issues. C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) T-sql-foundations SQL Foundations Team (formerly SQL Schema + SQL Sessions)
Projects
DB Server & Security SQL Foundations

Comments

@knz
Copy link
Contributor

knz commented Mar 10, 2020
edited by cockroach-jira-scripts

PostgreSQL supports both:

  • cert as a standalone auth method (currently supported in CockroachDB)
  • the method option clientcert which can be added to any other method:

https://www.postgresql.org/docs/12/ssl-tcp.html#SSL-CLIENT-CERTIFICATES

add the authentication option clientcert=verify-ca or clientcert=verify-full to the appropriate hostssl line(s) in pg_hba.conf. A certificate will then be requested from the client during SSL connection startup.
For a hostssl entry with clientcert=verify-ca, the server will verify that the client's certificate is signed by one of the trusted certificate authorities. If clientcert=verify-full is specified, the server will not only verify the certificate chain, but it will also check whether the username or its mapping matches the cn (Common Name) of the provided certificate.
Note that certificate chain validation is always ensured when the cert authentication method is used (see Section 20.12).

Jira issue: CRDB-5113
@knz knz added C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) A-sql-pgwire pgwire protocol issues. A-security labels Mar 10, 2020
@knz knz added this to To do in DB Server & Security via automation Mar 10, 2020
@knz
Copy link
Contributor Author

knz commented Mar 10, 2020

cc @aaron-crl maybe you have an opinion about alternate approaches to 2FA?

@aaron-crl
Copy link

Depending on implementation this might be a stretch for actual 2FA. The cert would have to live in a sealed hardware token otherwise it's virtually analogous to another password (and not 2FA).

Setting the above aside. I don't see harm coming from users configuring both.

However, if we wanted support for a more standard and industry accepted 2FA solution, I would recommend looking at something like TOTP (https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) since we already have a very good time signal across CRDB nodes.

@knz
Copy link
Contributor Author

knz commented Mar 11, 2020

@mattcrdb see aaron's comment above. Can you figure out what the user is plannign to do with their certificate management to ensure that certs are not just another form of password? Would they be interested in TOTP support?

@mattcrdb
Copy link

Sure, I'll follow up with the customer. Apologies for the delay here.

@knz knz changed the title pgwire/hba: provide a new auth method that requries BOTH valid password and cert pgwire/hba: support pg's clientcert methodoption Apr 17, 2020
@knz
Copy link
Contributor Author

knz commented Apr 17, 2020

I found out that this feature is already supported by postgres, and could be added to crdb at little cost.

Updated the top level issue description accordingly.

@knz knz moved this from To do to Linked issues in DB Server & Security Apr 17, 2020
@knz knz mentioned this issue Apr 17, 2020
Closed
@jlinder jlinder added the T-server-and-security DB Server & Security label Jun 16, 2021
@knz knz added A-authentication Pertains to authn subsystems A-cc-enablement Pertains to current CC production issues or short-term projects labels Jul 29, 2021
@bobvawter bobvawter mentioned this issue Sep 21, 2021
Merged
@github-actions
Copy link

We have marked this issue as stale because it has been inactive for
18 months. If this issue is still relevant, removing the stale label
or adding a comment will keep it active. Otherwise, we'll close it in
10 days to keep the issue queue tidy. Thank you for your contribution
to CockroachDB!

@knz knz added T-sql-foundations SQL Foundations Team (formerly SQL Schema + SQL Sessions) and removed T-server-and-security DB Server & Security no-issue-activity X-server-triaged-202105 labels Sep 14, 2023
@blathers-crl blathers-crl bot added this to Triage in SQL Foundations Sep 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-authentication Pertains to authn subsystems A-cc-enablement Pertains to current CC production issues or short-term projects A-security A-sql-pgwire pgwire protocol issues. C-enhancement Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception) T-sql-foundations SQL Foundations Team (formerly SQL Schema + SQL Sessions)
Projects
DB Server & Security
  
Linked issues (from the roadmap colum...
SQL Foundations
  
Triage
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jlinder @knz @mattcrdb @aaron-crl