Re: pam auth - add rhost item

On Thu, Oct 15, 2015 at 1:45 AM, Euler Taveira <euler(at)timbira(dot)com(dot)br> wrote:

> On 14-10-2015 17:35, kolo hhmow wrote:
>
>> Yes, but this is very ugly solution, becasue you have to restart
>> postgresql daemon each time you have added a new user.
>>
> >
> Restart != Reload. You can even do it using SQL.
>

Yes, this is was my mistake.

>
> This solution which I propose is give an abbility to dinamicaly manage
>> user accounts without need to restart each time a user account entry has
>> change.
>>
> >
> Why do you want to double restrict the access? We already have HBA. Also,
> you could complicate the management because you need to check two different
> service configurations to figure out why foo user can't log in. I'm not a
> PAM expert but my impression is that rhost is an optional item. Therefore,
> advise PAM users to use HBA is a way to not complicate the actual feature.
>
>
> I have already explained this in my previous post. Did you read this?
So why postgresql give users an abbility to use a pam modules, when in
other side there is advice to not use them?
Anyway.
I do not see any complication with this approach. Just use one
configuration entry in pg_hba.conf, and rest entries in some database
backend of pam module, which is most convenient with lot of entries than
editing pg_hba.conf.
Yes rhost is optional item, which is not actually set to pam information in
ofical source code and this is why I need add this patch.

> --
> Euler Taveira Timbira - http://www.timbira.com.br/
> PostgreSQL: Consultoria, Desenvolvimento, Suporte 24x7 e Treinamento
>