| From: | Tomas Vondra <tomas(dot)vondra(at)2ndquadrant(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: pam auth - add rhost item |
| Date: | 2015-12-15 17:53:02 |
| Message-ID: | 5670537E.2090308@2ndquadrant.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Actually, one more thing - the patch should probably update the docs
too, because client-auth.sgml currently says this in the "auth-pam" section:
<para>
...
PAM is used only to validate user name/password pairs.
...
</para>
I believe that's no longer true, because the patch adds PAM_RHOST to the
user/password fields.
Regarding the other PAM_* fields, none of them strikes me as very useful
for our use case.
In a broader sense, I think this patch is quite desirable, despite being
rather simple (which is good). I certainly don't agree with suggestions
that we can already do things like this through pg_hba.conf. If we're
providing PAM authentication, let's make it as complete/useful as
possible. In some cases modifying PAM may not be feasible - e.g. some
management systems rely on PAM as much as possible, and doing changes in
other ways is a major hassle.
regards
--
Tomas Vondra http://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2015-12-15 18:04:22 | Re: _mdfd_getseg can be expensive |
| Previous Message | Tomas Vondra | 2015-12-15 17:32:27 | Re: pam auth - add rhost item |