From: | "Oliver Elphick" <olly(at)lfix(dot)co(dot)uk> |
---|---|
To: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, "J(dot)H(dot)M(dot) Dassen (Ray)" <jdassen(at)cistron-office(dot)nl>, pgsql-general(at)postgresql(dot)org |
Subject: | Re: Re: Debian's PostgreSQL packages |
Date: | 2001-07-12 02:37:43 |
Message-ID: | 200107120237.f6C2bhcU002713@linda.lfix.co.uk |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general pgsql-hackers |
Bruce Momjian wrote:
>> > I think our current idea is to have people run local ident servers to
>> > handle this. We don't have any OS-specific stuff in pg_hba.conf and I
>> > am not sure if we want to add that complexity. What do others think?
>>
>> This is not any less "specific" than SSL or Kerberos. Note that opening a
>> TCP/IP socket already opens a theoretical hole to the world. Unix domain
>> is much safer.
>
>You can install SSL/Kerberos on any Unix, and many come pre-installed.
>You can't add unix-domain socket user authentication to any OS.
>
>I assume most OS's have 127.0.0.1 set as loopback so there shouldn't be
>a hole:
>
>127 127.0.0.1 UGRS 4352 lo0
>127.0.0.1 127.0.0.1 UH 4352 lo0
>
>However, the security issue may make it worthwhile. Which OS's support
>user authentication again, and can we test via configure? Maybe we can
>strip out the mention in the pg_hba.conf file if it is not supported on
>that OS.
The security issue is why I developed it. There were complaints from people
who did not want to have identd running at all.
I think the feature is available in Linux, Solaris and some BSD. It can be
tested for by whether SO_PEERCRED is defined in sys/socket.h.
I don't see the need to strip mention from the comments in pg_hba.conf. The
situation is no different from those systems which do not have Kerberos or
SSL available.
--
Oliver Elphick Oliver(dot)Elphick(at)lfix(dot)co(dot)uk
Isle of Wight http://www.lfix.co.uk/oliver
PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C
========================================
"I waited patiently for the LORD; and he inclined unto
me, and heard my cry. He brought me up also out of an
horrible pit, out of the miry clay, and set my feet
upon a rock, and established my goings. And he hath
put a new song in my mouth, even praise unto our God.
Many shall see it, and fear, and shall trust in the
LORD." Psalms 40:1-3
From | Date | Subject | |
---|---|---|---|
Next Message | John Clark Naldoza y Lopez | 2001-07-12 03:15:41 | Re: A small question about Red Hat |
Previous Message | GH | 2001-07-12 02:01:54 | Re: problem with postgres users |
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2001-07-12 02:40:13 | Re: Possible bug in plpgsql/src/gram.y |
Previous Message | Tom Lane | 2001-07-12 02:32:25 | Re: Strangeness in xid allocation / snapshot setup |