From: | Tim Watts <tim(dot)j(dot)watts(at)kcl(dot)ac(dot)uk> |
---|---|
To: | <pgsql-admin(at)postgresql(dot)org> |
Subject: | Postgresql 8.4 GSSAPI auth with fallback to password prompting? |
Date: | 2013-03-21 12:22:11 |
Message-ID: | 514AFB73.6050300@kcl.ac.uk |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
Hi,
Pretty sure this has a yes or no answer (and google+postgres docs is
suggesting "no", but I thought it worth asking the experts )...
Is it possible to specify GSSAPI auth (with MIT kerberos as the backend)
but get Postgresql to fallback to prompting for a password if a kerberos
ticket cannot be supplied by the client - eg because the client cannot
do GSSAPI or because the client is not part of the kerberos realm?
A bit like how OpenSSH server can try multiple auth methods
transparantly until one works,
eg GSSAPI->PubKey->Password-interactive->FAIL
Snippet from my pg_hba.conf:
#1# host all +role_users 0/0 gss
#2# host all +role_users 0/0 pam
host all +role_apps 0/0 md5
host all all 0/0 reject
#1# and #2# both work independently when uncommented. "role_users" is
used as a grouping for real user accounts vs application/script accounts
which are in "role_apps" and will always use local Postgresql
authentication.
It would be really nice if the gss method could fallback to asking for a
password or if it were possible to try gss then pam.
Maybe it is but I missed something?
Any answers, even a definitive negative, would be most welcome :)
Cheers!
Tim
--
Tim Watts Tel (VOIP): +44 (0)1580 848360
Systems Manager Digital Humanities, King's College London
Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/
Personal Blog: http://squiddy.blog.dionic.net/
http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2013-03-24 18:47:10 | Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting? |
Previous Message | Alvaro Herrera | 2013-03-13 21:26:12 | Re: tables mysteriously truncated |