| From: | Marisa Emerson <mje(at)insec(dot)sh> |
|---|---|
| To: | Thomas Munro <thomas(dot)munro(at)enterprisedb(dot)com> |
| Cc: | "David Steele" <david(at)pgmasters(dot)net>, "Robert Haas" <robertmhaas(at)gmail(dot)com>, "PostgreSQL-development" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Proposal: BSD Authentication support |
| Date: | 2016-03-17 13:58:53 |
| Message-ID: | 15384df31d8.e1eb1f4a78511.6788448249244038941@insec.sh |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
>Our usual wording is "the PostgreSQL user account". Perhaps we should
>be more explicit about the fact that membership of this Unix group is
>needed on *OpenBSD*, since other current or future BSD forks could
>vary. I see that the specific reason this is needed on this OpenBSD
>5.8 box is so that it can fork/exec the setuid login_XXX binaries that
>live under /usr/libexec/auth.
The BSD Authentication framework currently only exists on OpenBSD. I've added some explicit documentation that this mechanism is currently only supported on OpenBSD and I've tried to be a bit more explicit about the auth group as suggested by Peter.
>auth_userokay is called with a type of "pg-auth". I noticed from
>looking at man page and source of some other applications that the
>convention is usually a hardcoded string like "auth-myserver",
>"auth-sockd", "auth-ssh", "auth-doas", "auth-popa3d" etc. So perhaps
>we should have "auth-postgresql" (or "auth-postgres" or "auth-pgsql")
>here? And as Peter E already said, that string should probably be
>documented: it looks a bit like it is useful for allowing the
>available authentication styles to be restricted or defaulted
>specifically for PostgreSQL in login.conf based on that string.
>(Though when I tried to set that up, it seemed to ignore my
>possibly-incorrectly-specified rule asking it to use "reject" so I may
>have misunderstood.)
This is correct, although so far I've only tested using the default login class. The attached patch includes some more explicit documentation about this string.
>The style argument is hard coded as NULL, as I see is the case in some
>other applications. From the man page: "If style is not NULL, it
>specifies the desired style of authentication to be used. If it is
>NULL then the default style for the user is used. In this case, name
>may include the desired style by appending it to the user's name with
>a single colon (‘:’) as a separator." I wonder if such
>user-controllable styles are OK (though I guess would require username
>mapping to strip them off if we do want that as a feature). I wonder
>if it should be possible to provide the style argument that we pass to
>auth_userokay explicitly in pg_hba.conf, so that the DBA could
>explicitly say BSD auth with style=radius.
I've so far only tested passwd authentication. I'd be interested to test some of the other authentication styles, I think this would be a useful feature.
| Attachment | Content-Type | Size |
|---|---|---|
| bsd_auth.patch | application/octet-stream | 10.1 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | David Steele | 2016-03-17 14:00:20 | Re: Re: Add generate_series(date,date) and generate_series(date,date,integer) |
| Previous Message | Tom Lane | 2016-03-17 13:58:06 | Re: [PATCH] Integer overflow in timestamp[tz]_part() and date/time boundaries check |