Обсуждение: Question about cert authentication method.
Hi All,
I have a question about cert authentication method. I am using postgres version 14.
Following is the entry i have in the pg_hba file.
hostssl all all 0.0.0.0/0 cert map=mymap
Following is the entry in the pg_ident file.
mymap test readonly
trying to connect to the server using psql. CN in the certificate is "test (S114546)".
psql "host=localhost user='test (S114546)' dbname=appdb sslmode=verify-full sslcert=certificate.crt sslkey=certificate.key sslrootcert=cacerts"
No mapping exist for "test (S114547)" in the pg_ident file.
The connection failed with following error.
psql: error: connection to server at "localhost", port 5432 failed: FATAL: certificate authentication failed for user "test (S114546)"
Error in the server log is...
2022-11-25 09:26:52.169 UTC [62] LOG: no match in usermap "mymap" for user "test (S114546)" authenticated as "test (S114546)"
2022-11-25 09:26:52.169 UTC [62] FATAL: certificate authentication failed for user "test (S114546)"
2022-11-25 09:26:52.169 UTC [62] DETAIL: Connection matched pg_hba.conf line 4: "hostssl all all 0.0.0.0/0 cert map=mymap"
I am expecting the connection to fail because user "test (S114546) does not exist. but i am confused about the error message in the server log.
It says certificate authentication failed for user "test (S114546)". but CN in the certificate matches with the user name in psql connection request.
So certificate authentication should pass. It should fail afterwards.
On Fri, 2022-11-25 at 15:36 +0530, Dhirendra Singh wrote: > I have a question about cert authentication method. I am using postgres version 14. > > Following is the entry i have in the pg_hba file. > hostssl all all 0.0.0.0/0 cert map=mymap > > Following is the entry in the pg_ident file. > mymap test readonly > > trying to connect to the server using psql. CN in the certificate is "test (S114546)". > psql "host=localhost user='test (S114546)' dbname=appdb sslmode=verify-full sslcert=certificate.crt sslkey=certificate.keysslrootcert=cacerts" > > No mapping exist for "test (S114547)" in the pg_ident file. > > The connection failed with following error. > psql: error: connection to server at "localhost", port 5432 failed: FATAL: certificate authentication failed for user"test (S114546)" > > Error in the server log is... > 2022-11-25 09:26:52.169 UTC [62] LOG: no match in usermap "mymap" for user "test (S114546)" authenticated as "test (S114546)" > 2022-11-25 09:26:52.169 UTC [62] FATAL: certificate authentication failed for user "test (S114546)" > 2022-11-25 09:26:52.169 UTC [62] DETAIL: Connection matched pg_hba.conf line 4: "hostssl all all 0.0.0.0/0 cert map=mymap" > > I am expecting the connection to fail because user "test (S114546) does not exist. but i am confused about the error messagein the server log. > It says certificate authentication failed for user "test (S114546)". but CN in the certificate matches with the user namein psql connection request. > So certificate authentication should pass. It should fail afterwards. Well, "test" is different from "test (S114546)", so what do you expect? You should use a regular expression in "pg_ident.conf", if you want that to match: mymap /^test readonly Yours, Laurenz Albe,
Laurenz Albe <laurenz.albe@cybertec.at> writes: > On Fri, 2022-11-25 at 15:36 +0530, Dhirendra Singh wrote: >> I am expecting the connection to fail because user "test (S114546) does not exist. but i am confused about the error messagein the server log. >> It says certificate authentication failed for user "test (S114546)". but CN in the certificate matches with the username in psql connection request. >> So certificate authentication should pass. It should fail afterwards. > Well, "test" is different from "test (S114546)", so what do you expect? I think the OP is complaining about the message contents, not the fact of the failure. However, it's intentional that the message sent to the client is vague about the exact cause of an authentication failure. Otherwise we might be giving aid to a blackhat trying to break into the server. The postmaster log is supposed to be more specific, and it looks to me like what's in the log is accurate. regards, tom lane
Yes. My question is about the log message.
Log message in the postmaster says...FATAL: certificate authentication failed for user "test (S114546)"
But certificate authentication should pass because supplied user in the connection request and CN in certificate is same.
It should fail afterwards with message that user "test (S114546)" does not exist.
Thanks,
Dhirendra.
On Fri, Nov 25, 2022 at 9:18 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Laurenz Albe <laurenz.albe@cybertec.at> writes:
> On Fri, 2022-11-25 at 15:36 +0530, Dhirendra Singh wrote:
>> I am expecting the connection to fail because user "test (S114546) does not exist. but i am confused about the error message in the server log.
>> It says certificate authentication failed for user "test (S114546)". but CN in the certificate matches with the user name in psql connection request.
>> So certificate authentication should pass. It should fail afterwards.
> Well, "test" is different from "test (S114546)", so what do you expect?
I think the OP is complaining about the message contents, not the
fact of the failure. However, it's intentional that the message sent
to the client is vague about the exact cause of an authentication
failure. Otherwise we might be giving aid to a blackhat trying to
break into the server. The postmaster log is supposed to be more
specific, and it looks to me like what's in the log is accurate.
regards, tom lane
A non-existent user cannot be authenticated.
Am 27. November 2022 06:49:49 MEZ schrieb Dhirendra Singh <dhirendraks@gmail.com>:
Yes. My question is about the log message.Log message in the postmaster says...FATAL: certificate authentication failed for user "test (S114546)"But certificate authentication should pass because supplied user in the connection request and CN in certificate is same.It should fail afterwards with message that user "test (S114546)" does not exist.Thanks,Dhirendra.On Fri, Nov 25, 2022 at 9:18 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:Laurenz Albe <laurenz.albe@cybertec.at> writes:
> On Fri, 2022-11-25 at 15:36 +0530, Dhirendra Singh wrote:
>> I am expecting the connection to fail because user "test (S114546) does not exist. but i am confused about the error message in the server log.
>> It says certificate authentication failed for user "test (S114546)". but CN in the certificate matches with the user name in psql connection request.
>> So certificate authentication should pass. It should fail afterwards.
> Well, "test" is different from "test (S114546)", so what do you expect?
I think the OP is complaining about the message contents, not the
fact of the failure. However, it's intentional that the message sent
to the client is vague about the exact cause of an authentication
failure. Otherwise we might be giving aid to a blackhat trying to
break into the server. The postmaster log is supposed to be more
specific, and it looks to me like what's in the log is accurate.
regards, tom lane
On Sun, Nov 27, 2022 at 12:50 AM Dhirendra Singh <dhirendraks@gmail.com> wrote:
Yes. My question is about the log message.Log message in the postmaster says...FATAL: certificate authentication failed for user "test (S114546)"But certificate authentication should pass because supplied user in the connection request and CN in certificate is same.
"certificate authentication" is the name for the overall process, and that overall process did fail. The specific reason for the failure is given in the server log (but intentionally not passed to the client): 'no match in usermap "mymap"'.
It should fail afterwards with message that user "test (S114546)" does not exist
It can't get far enough to fail for that reason, because the usermap failure squashes it first. If you add a mapping for that non-existent user (or just stop using a map) then you will get an error about the user not existing.
Cheers,
Jeff