From: | Josh Berkus <josh(at)agliodbs(dot)com> |
---|---|
To: | Craig Ringer <craig(at)2ndquadrant(dot)com>, Andres Freund <andres(at)2ndquadrant(dot)com>, Noah Misch <noah(at)leadboat(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
Subject: | Re: Allow peer/ident to fall back to md5? |
Date: | 2014-10-29 16:23:42 |
Message-ID: | 5451148E.4040502@agliodbs.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 10/29/2014 02:52 AM, Craig Ringer wrote:
> On 10/29/2014 05:46 PM, Andres Freund wrote:
>> I like this one. But then I perhaps edited too many pam configuration
>> files.
>
> It seems good to me too. I haven't looked at how viable it is in
> implementation terms.
>
> I think we could only properly support 'continue' on peer/ident in the
> v3 protocol. With other protos we need to negotiate with the client
> before we determine that we can't authenticate them and we send them an
> auth failed message.
>
> I guess we could just send a different auth request to the client
> instead of an auth failed message, but it might confuse clients that
> aren't expecting it, and it'd make it harder to report the original auth
> failure if we carry on to try something else.
>
> The advantage of doing it for peer/ident is that there's no conversation
> with the client required, so the client never needs to know that we
> considered peer/ident before falling back to something else.
I don't see a problem with having a "continue" directive, and
documenting that it only works with peer and ident. Maybe someday
(protocol bump) we can have a way to make other methods continue, and
then nobody will need to change their files to support the new way.
--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2014-10-29 16:31:16 | Re: Directory/File Access Permissions for COPY and Generic File Access Functions |
Previous Message | Stephen Frost | 2014-10-29 16:19:11 | Re: Directory/File Access Permissions for COPY and Generic File Access Functions |