| From: | Stuart Bishop <stuart(at)stuartbishop(dot)net> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Indent authentication overloading |
| Date: | 2010-11-18 05:49:14 |
| Message-ID: | AANLkTikBxshbURjXKjy1RRUubATaNa-iDvRXF4Bt60pv@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Nov 17, 2010 at 10:35 PM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> Currently, we overload "indent" meaning both "unix socket
> authentication" and "ident over tcp", depending on what type of
> connection it is. This is quite unfortunate - one of them being one of
> the most secure options we have, the other one being one of the most
> *insecure* ones (really? ident over tcp? does *anybody* use that
> intentionally today?)
We use it. Do you have an alternative that doesn't lower security
besides Kerberos? Anti-ident arguments are straw man arguments - "If
you setup identd badly or don't trust remote root or your network,
ident sucks as an authentication mechanism".
Ident is great as you don't have to lower security by dealing with
keys on the client system (more management headaches == lower
security), or worry about those keys being reused by accounts that
shouldn't be reusing them. Please don't deprecate it unless there is
an alternative. And if you are a pg_pool or pgbouncer maintainer,
please consider adding support :)
--
Stuart Bishop <stuart(at)stuartbishop(dot)net>
http://www.stuartbishop.net/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pavel Stehule | 2010-11-18 06:04:27 | Re: final patch - plpgsql: for-in-array |
| Previous Message | Tom Lane | 2010-11-18 05:47:05 | Re: final patch - plpgsql: for-in-array |