2

Can we configure both Basic authentication and Certificate authentication for PostgreSQL simultaneously for the same IP address of client. I think no , because they are 2 different authentication mechanisms and cannot co-exist at same time... because if we configure for certificate authentication , then it cannot use username password for authentication , but have to use only certificates for authentication.

Please help.

MSTechnie
  • 175
  • 10

2 Answers2

1

Yes, you can specify clientcert in conjunction with any of the authentication methods. so md5 clientcert=verify-full would require both a cert and a password.

verify-full was only introduced in v12. Prior to that, you could only make it check that the cert was validly signed, not that the CN on the cert matched the username being claimed.

jjanes
  • 37,812
  • 5
  • 27
  • 34
  • In PostgreSQL , SSL can be configured at 2 places (1) for the connection (2) Authentication. My question is on this Certificate Authentication and not at connection level. PostgreSQL support multiple authentication methods ..Out of them we have basic authentication , that is username/pwd authentication & Certificate authentication is also an option . This link talks about certificate authentication - https://www.postgresql.org/docs/12/auth-cert.html .So my question is can we have both certificate authentication and basic authentication configured at the same time. i think no.Please clarify – MSTechnie Sep 26 '20 at 07:01
  • I provided a direct answer to your question, yes you can have both, and demonstrated how. What more clarification is needed? – jjanes Sep 26 '20 at 16:40
  • i went through the link you gave on clientcert . It talks about securing the connection with SSL in addition to usrname and password , (which is the (1) point that i referred in my comment earlier ). So at any given time, i think, we cannot have both certificate authentication and username/password authentication... since in certifcate authentication we need not necessarily give username and password – MSTechnie Sep 28 '20 at 05:17
0

I tried myself. In pg_hba.conf file, we can set MD5 authentication for 1 set of IP address and cert for another IP address range. So 1 Postgres server can address 2 different authentication for 2 different IP address

MSTechnie
  • 175
  • 10