Postgresql 8.4 GSSAPI auth with fallback to password prompting?

From: Tim Watts <tim(dot)j(dot)watts(at)kcl(dot)ac(dot)uk>
To: <pgsql-admin(at)postgresql(dot)org>
Subject: Postgresql 8.4 GSSAPI auth with fallback to password prompting?
Date: 2013-03-21 12:22:11
Message-ID: 514AFB73.6050300@kcl.ac.uk
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin

Hi,

Pretty sure this has a yes or no answer (and google+postgres docs is
suggesting "no", but I thought it worth asking the experts )...

Is it possible to specify GSSAPI auth (with MIT kerberos as the backend)
but get Postgresql to fallback to prompting for a password if a kerberos
ticket cannot be supplied by the client - eg because the client cannot
do GSSAPI or because the client is not part of the kerberos realm?

A bit like how OpenSSH server can try multiple auth methods
transparantly until one works,

eg GSSAPI->PubKey->Password-interactive->FAIL

Snippet from my pg_hba.conf:

#1# host all +role_users 0/0 gss
#2# host all +role_users 0/0 pam
host all +role_apps 0/0 md5
host all all 0/0 reject

#1# and #2# both work independently when uncommented. "role_users" is
used as a grouping for real user accounts vs application/script accounts
which are in "role_apps" and will always use local Postgresql
authentication.

It would be really nice if the gss method could fallback to asking for a
password or if it were possible to try gss then pam.

Maybe it is but I missed something?

Any answers, even a definitive negative, would be most welcome :)

Cheers!

Tim

--
Tim Watts Tel (VOIP): +44 (0)1580 848360
Systems Manager Digital Humanities, King's College London

Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/
Personal Blog: http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message Stephen Frost 2013-03-24 18:47:10 Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?
Previous Message Alvaro Herrera 2013-03-13 21:26:12 Re: tables mysteriously truncated