Re: RADIUS authentication

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: RADIUS authentication
Date: 2010-01-11 03:10:56
Message-ID: 20100111031056.GZ17756@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Magnus,

* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> The attached patch implements RADIUS authentication (RFC2865-compatible).

Great! We have a few environments which use RADIUS auth, nice that PG
might be able to use that auth method in the future.

I'm not a fan of having the shared secret stored in a 'regular' config
file. Could you support, or maybe just change it to, breaking that out
into another file? Perhaps something simimlar to how pam_radius_auth
works, where you can also list multiple servers?

http://freeradius.org/pam_radius_auth/

Would also allow using the same file for multiple RADIUS-based servers..

I know pg_hba.conf can just be set to have minimal permissions (and is
on Debian), but that's the kind of file that tends to end up in things
like subversion repositories or puppet configs where they aren't
treated as carefully since, generally, what's in them doesn't come
across as super-sensetive.

Thanks,

Stephen

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2010-01-11 03:13:32 Re: damage control mode
Previous Message Greg Stark 2010-01-11 02:54:05 Re: Red-black tree for GIN