From: | "Samuel D(dot) Leslie" <SDL(at)nexiom(dot)net> |
---|---|
To: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Add radiustimeout parameter for RADIUS HBA |
Date: | 2016-10-24 03:03:08 |
Message-ID: | d59ee258f37a4f90a78c2dbf3b4d28a9@nexiom.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hello everyone,
I’d like to submit the attached patch for feedback from the PostgreSQL community and potential future inclusion in the codebase. The patch adds a new parameter to the RADIUS authentication method named “radiustimeout”, allowing the database administrator to configure the timeout in seconds to wait for responses from a configured RADIUS server. Until now, this has been hardcoded to three seconds by the RADIUS_TIMEOUT define in auth.c. While this is usually sufficient for typical RADIUS server configurations, there are some more unusual configurations where a higher timeout is required. Examples include:
- Authenticating against a RADIUS server over a high latency link
- Authenticating against a RADIUS server that is performing additional out-of-band authentication
The latter case is applicable to a server I admin and spurred the development of this patch. We implemented multi-factor authentication for user access to a sensitive database via a RADIUS server implementation which performs the standard username & password verification, and if it succeeds, subsequently performs a second factor of authentication via a configured mobile app. The RADIUS response confirming successful authentication is only returned after both authentication factors have completed. In our deployment, a timeout of 60 seconds seems to work well, but certainly three seconds is not at all workable.
Thanks in advance for any and all feedback.
Kind regards,
-SDL
Attachment | Content-Type | Size |
---|---|---|
radiustimeout.patch | application/octet-stream | 2.9 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Kyotaro HORIGUCHI | 2016-10-24 03:48:02 | Re: [BUG] pg_basebackup from disconnected standby fails |
Previous Message | Tatsuro Yamada | 2016-10-24 02:26:51 | Minor code improvement to postgresGetForeignJoinPaths |