Re: Patch to include PAM support...

From: "Dominic J(dot) Eidson" <sauron(at)the-infinite(dot)org>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, pgsql-patches(at)postgresql(dot)org
Subject: Re: Patch to include PAM support...
Date: 2001-06-12 17:29:04
Message-ID: Pine.LNX.4.21.0106121221010.6822-100000@morannon.the-infinite.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers pgsql-patches

On Tue, 12 Jun 2001, Peter Eisentraut wrote:

> Bruce Momjian writes:
> > OK, care to give a thumbs up on the patch?
> >
> > http://candle.pha.pa.us/cgi-bin/pgpatches
>
> >From static inspection I have some doubts about whether this patch would
> operate correctly. The way it is implemented is that if the backend is
> instructed to use PAM authentication it pretends to the frontend that
> password authentication is going on. This would probably work correctly

Correct - this was to save code duplication - since the frontend steps for
password authentication are the same, whether you're authenticating to
global/pg_pwd, or handing off the username/password processing to PAM.

> if your PAM setup is that you require exactly one password from the user.
> But if the PAM setup does not require a password (Kerberos, rhosts
> modules?) it would involve a useless exchange (and possibly prompt) for a

This works fine - if it doesn't require a password, it won't get to the
"password prompt" step inside the conversation function, and ends up just
returning "success".

> password. More importantly, though, if the PAM configuration requires
> more than one password (perhaps the password is due to be changed), this
> implementation will fail (to authenticate).

Typical use of a database, is from a non-interactive interface (script,
application, et al), where you aren't given the abillity to enter a second
password in the first place. Granted, this could be implemented - but my
goal was to emulate the existing libpq authentication process (which only
allows for the transmission of one password for all (the one?) of the
existing authentication methods that utilize passwords.

In all of the other remote authentication pieces that I have worked
with/used (radius, tacacs, etc) - if your password is in need to be
changed and/or expired - your authentication just fails.

> Dominic, any comments?

--
Dominic J. Eidson
"Baruk Khazad! Khazad ai-menu!" - Gimli
-------------------------------------------------------------------------------
http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Mikheev, Vadim 2001-06-12 17:30:27 RE: AW: Postgres Replication
Previous Message Dominic J. Eidson 2001-06-12 17:19:59 Re: Patch to include PAM support...

Browse pgsql-patches by date

  From Date Subject
Next Message Bruce Momjian 2001-06-12 17:37:39 Re: DROP CONSTRAINT (UNIQUE) preliminary support
Previous Message Dominic J. Eidson 2001-06-12 17:19:59 Re: Patch to include PAM support...