From: | Aidan Van Dyk <aidan(at)highrise(dot)ca> |
---|---|
To: | Josh Berkus <josh(at)agliodbs(dot)com> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Indent authentication overloading |
Date: | 2010-11-18 18:12:43 |
Message-ID: | AANLkTinuTngHmUHjMhhzLqn5DC+Vn23FfK=HbKJ3N2ak@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Nov 18, 2010 at 1:01 PM, Josh Berkus <josh(at)agliodbs(dot)com> wrote:
>
>> We use it. Do you have an alternative that doesn't lower security
>> besides Kerberos? Anti-ident arguments are straw man arguments - "If
>> you setup identd badly or don't trust remote root or your network,
>> ident sucks as an authentication mechanism".
>
> Actually, you're trusting that nobody can add their own machine as a node on
> your network. All someone has to do is plug their linux laptop into a
> network cable in your office and they have free access to the database.
I think you need to give him a little more credit than that... From
the description he gave, I wouldn't be surprised if the networks he's
using ident on, he's got switch ports locked, limited server access,
etc...
His whole point was that in his locked down network, ident is *better*
that giving everybody "yet another password" they have to manage, have
users not mis-manage, and make sure users don't mis-use...
So, yes, ident is only as secure as the *network and machines* it's
used on. Passwords are only as secure as the users managing them, and
the machines/filesystems containing .pgpass ;-)
a.
--
Aidan Van Dyk Create like a god,
aidan(at)highrise(dot)ca command like a king,
http://www.highrise.ca/ work like a slave.
From | Date | Subject | |
---|---|---|---|
Next Message | Robert Haas | 2010-11-18 18:17:26 | Re: final patch - plpgsql: for-in-array |
Previous Message | Pavel Stehule | 2010-11-18 18:03:28 | Re: final patch - plpgsql: for-in-array |