Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Tim Watts <tim(dot)j(dot)watts(at)kcl(dot)ac(dot)uk>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "pgsql-admin(at)postgresql(dot)org" <pgsql-admin(at)postgresql(dot)org>
Subject: Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?
Date: 2013-03-25 15:17:52
Message-ID: 20130325151751.GN4361@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin

Tim,

* Tim Watts (tim(dot)j(dot)watts(at)kcl(dot)ac(dot)uk) wrote:
> I presume the protocol does not allow the server to send a succession of
> "Type: Authentication request" packets with different Authentication
> types until it deems that one is acceptable?

Even if it did, existing clients would very likely be confused by it..

To be honest, I don't have a solution in mind for how to make this
happen, I was really just pointing out that there's a difference between
"we won't do that because we don't trust the sysadmin" and "that's not
an option due to how the system works today". Perhaps one option would
be to look at the Negotiate protocol which mod_auth_kerb and friends use
and perhaps have that as an explicitly new auth mechanism. A server set
up to provide that would, of course, have to consider if its users
supported it or not but that's true already- you can have situation
already though, a given client might not support gssapi, for example.

Thanks,

Stephen

In response to

Browse pgsql-admin by date

  From Date Subject
Next Message Tim Watts 2013-03-25 15:30:05 Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?
Previous Message Tim Watts 2013-03-25 14:56:30 Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?