| From: | John R Pierce <pierce(at)hogranch(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Using both ident and password in pg_hba.conf |
| Date: | 2016-05-09 21:56:14 |
| Message-ID: | 24e11d94-ddb9-9606-8fed-229fce163fe4@hogranch.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 5/9/2016 2:42 PM, D'Arcy J.M. Cain wrote:
> I had an idea that that wouldn't be so easy else we would have had it
> by now. However, I am not sure that that is what is needed. I was
> thinking of something like this:
>
> host all joe(at)nobody 192.168.151.75/32 password
> host all all 192.168.151.75/32 ident
>
> The "all(at)nobody" field is meant to specify that the remote user is
> nobody but that they are connecting as user joe. You would be able to
> use "all" as well. You don't even need to do an ident check unless the
> auth method is "trust" which would be silly anyway. In fact "password"
> is the only method that even makes any sense at all.
over a tcp socket, there's no way of knowing *WHAT* the system user is
short of querying the unreliable service 'authd' (113/tcp) and hoping
that it A) exists and B) returns something meaningful. authd/ident
services can return virtually anything they want to.
when pg_hba.conf is searched, all thats known is the socket type (host
or local), the database name, the requested(!) username, and if its
'host', the source IP address. this is used to select the desired
authentication method for that combination.
--
john r pierce, recycling bits in santa cruz
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2016-05-09 22:15:16 | Re: Using both ident and password in pg_hba.conf |
| Previous Message | Scott Mead | 2016-05-09 21:50:52 | Re: Using both ident and password in pg_hba.conf |