Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?

On 25/03/13 15:17, Stephen Frost wrote:
> Tim,
>
> * Tim Watts (tim(dot)j(dot)watts(at)kcl(dot)ac(dot)uk) wrote:
>> I presume the protocol does not allow the server to send a succession of
>> "Type: Authentication request" packets with different Authentication
>> types until it deems that one is acceptable?
>
> Even if it did, existing clients would very likely be confused by it..
>
> To be honest, I don't have a solution in mind for how to make this
> happen, I was really just pointing out that there's a difference between
> "we won't do that because we don't trust the sysadmin" and "that's not
> an option due to how the system works today".

No no - fully understood :)

I appreciate the candid and reasoned arguments :)

I wish I could help - but I more of a sysamdin and less of a developer.

But it is *very* helpful to know that something *is not possible* and
*is likely to not be possible for a long time, if ever*. That allows me
as a humble user of the software to plan deployment :)

> Perhaps one option would
> be to look at the Negotiate protocol which mod_auth_kerb and friends use
> and perhaps have that as an explicitly new auth mechanism. A server set
> up to provide that would, of course, have to consider if its users
> supported it or not but that's true already- you can have situation
> already though, a given client might not support gssapi, for example.

A "negotiate" option would be very cool. I will expect nothing (on the
basis it's free software, I have no rights ;-> ).

Save to say I think Postgresql is very cool already and has been for the
last 12 years I've been using it...

All the best,

Tim

--
Tim Watts Tel (VOIP): +44 (0)1580 848360
Systems Manager Digital Humanities, King's College London

Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/
Personal Blog: http://squiddy.blog.dionic.net/

"She got her looks from her father. He's a plastic surgeon."