Skip site navigation (1) Skip section navigation (2)

Re: Patch to include PAM support...

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, "Dominic J(dot) Eidson" <sauron(at)the-infinite(dot)org>, pgsql-patches(at)postgresql(dot)org
Subject: Re: Patch to include PAM support...
Date: 2001-06-12 19:07:34
Message-ID: 13156.992372854@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> ... More importantly, though, if the PAM configuration requires
> more than one password (perhaps the password is due to be changed), this
> implementation will fail (to authenticate).

I *think* that the FE protocol will support more than one round of
password challenge, although given the lack of any way for the PAM
module to direct what prompt is given, that is unlikely to work
pleasantly.

The larger issue is how a PAM auth method of unknown characteristics
is going to fit into our existing FE/BE protocol.  It would seem to me
that a protocol extension will be required.  Lying to the frontend about
what is happening is very unlikely to prove workable in the long run.
What if the selected PAM auth method requires the client side to respond
in some special way?

			regards, tom lane

In response to

Responses

pgsql-hackers by date

Next:From: Bruce MomjianDate: 2001-06-12 19:08:01
Subject: Re: Improving pg_hba.conf
Previous:From: Chris BowlbyDate: 2001-06-12 19:07:05
Subject: Re: Improving pg_hba.conf

pgsql-patches by date

Next:From: Peter EisentrautDate: 2001-06-12 19:37:43
Subject: Re: reset all update
Previous:From: Bruce MomjianDate: 2001-06-12 19:02:25
Subject: Re: Patch to include PAM support...

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group