| From: | Tim Watts <tim(dot)j(dot)watts(at)kcl(dot)ac(dot)uk> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, "pgsql-admin(at)postgresql(dot)org" <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting? |
| Date: | 2013-03-25 14:56:30 |
| Message-ID: | 5150659E.8070401@kcl.ac.uk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On 25/03/13 14:31, Tom Lane wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
>> * Tim Watts (tim(dot)j(dot)watts(at)kcl(dot)ac(dot)uk) wrote:
>>> I would have to respectfully take another point of view: that that
>>> particular judgement is probably better placed with the sysadmin
>>> rather than a blanket decision by the devs.
>
>> It's not a blanket decision by any means- the current situation is that
>> such an option doesn't exist. It's not "it exists, but we disabled it
>> because we felt like it."
>
>> Were someone to write the code to support such an option, it's entirely
>> possible it'd get committed (though likely with strong caveats about its
>> use in the documentation).
>
> I'm not sure it would. Allowing a fallback would amount to a protocol
> change, meaning that old clients might fail in strange ways. You'd
> need a lot stronger case than has been made here to justify dealing
> with that.
>
Just had a look at a non SSL psql connection with wireshark:
The username is offered. Then the server comes back with:
"Type: Authentication request"
"Authentication type: Plaintext password (3)"
So clearly it's not as simple as the client offering what it feels like.
And whilst I assume it might be possible for the server to have a new
code for
"Authentication type: GSSAPI with Password-Interactive-Fallback"
that's not going to be implicitly backwardly compatible.
Tricky I agree...
I presume the protocol does not allow the server to send a succession of
"Type: Authentication request" packets with different Authentication
types until it deems that one is acceptable?
BTW - I am not seriously proposing this - just for a bit of idea banter
and better understanding by me. If you've all got better things to do,
ignore me :-o
Cheers,
Tim
--
Tim Watts Tel (VOIP): +44 (0)1580 848360
Systems Manager Digital Humanities, King's College London
Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/
Personal Blog: http://squiddy.blog.dionic.net/
"A fanatic is one who can't change his mind and won't change the subject."
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2013-03-25 15:17:52 | Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting? |
| Previous Message | Tim Watts | 2013-03-25 14:37:02 | Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting? |