Skip site navigation (1) Skip section navigation (2)

Re: "Optional ident" authentication

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: "Jeroen T(dot) Vermeulen" <jtv(at)xs4all(dot)nl>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: "Optional ident" authentication
Date: 2006-11-26 16:51:59
Message-ID: 19122.1164559919@sss.pgh.pa.us (view raw or flat)
Thread:
Lists: pgsql-hackers
"Jeroen T. Vermeulen" <jtv(at)xs4all(dot)nl> writes:
> Is there a reason other than existing code why HBA should not allow
> "ident" to be combined with other authentication methods?

How about that it's a bad idea?  A combo method seems ideally suited
to security holes, in the form of letting through unintended logins.

> To scratch that itch I've made a patch that adds a new authentication
> method called optident.  It behaves like ident except that it continues
> walking down the HBA configuration on failure.

... and this particular approach would break more installations'
security than I really want to think about.  It's not really a new ident
method, it's a very fundamental change in the semantics of pg_hba.conf.
As an example of how much it would change things, the "reject" auth
option would become a useless no-op.

			regards, tom lane

In response to

Responses

pgsql-hackers by date

Next:From: Andrew DunstanDate: 2006-11-26 17:07:57
Subject: Re: [CORE] RC1 blocker issues
Previous:From: David BorehamDate: 2006-11-26 16:42:41
Subject: Re: Integrating Replication into Core

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group