ident auth vs. encrypting ident daemons

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: pgsql-hackers(at)postgreSQL(dot)org, pgsqlrpms-hackers(at)pgfoundry(dot)org
Subject: ident auth vs. encrypting ident daemons
Date: 2006-06-15 20:29:06
Message-ID: 747.1150403346@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Currently, the Red Hat and (I believe) PGDG RPMs set up ident
authentication as the default, by running initdb with
--auth='ident sameuser'
I think several other binary distros do the same. It was pointed out to
me recently that this does not work real well anymore on Fedora. It's
fine on Unix-socket connections but fails entirely on localhost TCP,
because (1) the TCP ident daemon isn't started by default (even assuming
you installed it), and (2) if it is running, the default arguments for
it include "-E" which causes it to return an encrypted version of the
username. So authentication will always fail.

In the modern net it's kind of hard to tell people to run identd servers
without -E, so I'm thinking that this default is becoming more and more
useless. IMHO there are a couple of things we ought to do about it:

* initdb has to abandon the one-size-fits-all approach to auth methods;
we need to be able to specify different auth methods for unix-socket and
TCP. (Of course, the RPMs could just hack in the right thing with sed,
but then why are we bothering to support an --auth argument at all?)

* I'm inclined to make the Red Hat RPMs default to ident on socket and
md5 on localhost ... any comments about that?

* We ought to think about ways to cope with encrypted ident daemons.
Assuming that a given daemon always reports the same encrypted string
for a given username, ISTM it ought to be possible for a DBA to set up
an ident mapping file that would allow ident-encrypted authentication to
work. You'd likely need a separate mapping file per client host because
the encryption keys would be different, but it'd beat not having ident
support at all. We'd need to add documentation explaining how to do
this, and I think we should also tweak the logging of failed ident-auth
connections. All we have at the moment is

ereport(DEBUG2,
(errmsg("Ident protocol identifies remote user as \"%s\"",
ident_user)));

which is pretty inadequate because it doesn't mention either the PG user
name or the remote machine's address. I'd like to put out a LOG-level
message mentioning all three anytime TCP ident authentication fails,
so that the postmaster log provides the info needed to set up a mapping
file. Can anyone see any reasons not to do that?

regards, tom lane

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Stefan Kaltenbrunner 2006-06-15 20:29:36 Re: Test request for Stats collector performance improvement
Previous Message Stefan Kaltenbrunner 2006-06-15 19:58:27 Re: Test request for Stats collector performance improvement