Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?

From: Tim Watts <tim(dot)j(dot)watts(at)kcl(dot)ac(dot)uk>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "pgsql-admin(at)postgresql(dot)org" <pgsql-admin(at)postgresql(dot)org>
Subject: Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?
Date: 2013-03-25 15:30:05
Message-ID: 51506D7D.5090105@kcl.ac.uk
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin

On 25/03/13 15:17, Stephen Frost wrote:
> Tim,
>
> * Tim Watts (tim(dot)j(dot)watts(at)kcl(dot)ac(dot)uk) wrote:
>> I presume the protocol does not allow the server to send a succession of
>> "Type: Authentication request" packets with different Authentication
>> types until it deems that one is acceptable?
>
> Even if it did, existing clients would very likely be confused by it..
>
> To be honest, I don't have a solution in mind for how to make this
> happen, I was really just pointing out that there's a difference between
> "we won't do that because we don't trust the sysadmin" and "that's not
> an option due to how the system works today".

No no - fully understood :)

I appreciate the candid and reasoned arguments :)

I wish I could help - but I more of a sysamdin and less of a developer.

But it is *very* helpful to know that something *is not possible* and
*is likely to not be possible for a long time, if ever*. That allows me
as a humble user of the software to plan deployment :)

> Perhaps one option would
> be to look at the Negotiate protocol which mod_auth_kerb and friends use
> and perhaps have that as an explicitly new auth mechanism. A server set
> up to provide that would, of course, have to consider if its users
> supported it or not but that's true already- you can have situation
> already though, a given client might not support gssapi, for example.

A "negotiate" option would be very cool. I will expect nothing (on the
basis it's free software, I have no rights ;-> ).

Save to say I think Postgresql is very cool already and has been for the
last 12 years I've been using it...

All the best,

Tim

--
Tim Watts Tel (VOIP): +44 (0)1580 848360
Systems Manager Digital Humanities, King's College London

Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/
Personal Blog: http://squiddy.blog.dionic.net/

"She got her looks from her father. He's a plastic surgeon."

In response to

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message Stephen Frost 2013-03-25 15:44:47 Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?
Previous Message Stephen Frost 2013-03-25 15:17:52 Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?