Skip site navigation (1) Skip section navigation (2)

Re: Patch to include PAM support...

From: "Dominic J(dot) Eidson" <sauron(at)the-infinite(dot)org>
To: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-patches(at)postgresql(dot)org
Subject: Re: Patch to include PAM support...
Date: 2001-06-12 17:19:59
Message-ID: Pine.LNX.4.21.0106121211420.6822-100000@morannon.the-infinite.org (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
On Tue, 12 Jun 2001, Bruce Momjian wrote:

> > Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> writes:
> > > I know there was concerns about blocking but is that problem any more so
> > > than other interfaces we already support?
> > 
> > We don't need to make it worse.  We've already had trouble reports about
> > postmaster hangups with broken IDENT servers; PAM will hugely expand the
> > scope of potential troubles.  Can you say "denial of service"?
> 
> Does it really?  You are saying PAM can make "denial of service" attacks
> even easier than ident?  

If anything, then "possibly as easy as ident" - but that's a worst case
scenario. And the reason for that is because they both potentially use
outside server/services. PAM doesn't _have_ to authenticate into external
devices, the LDAP example is just an example from my/our situation. You
could use PAM to authenticate into the local system password file, and/or
use it to create user limits (Only 3 connections per user, as example..)

> If it is the same risk, I think it is OK, but if it is worse, I see your
> point.  (I don't know much about PAM except it allows authentication.)

My apologies if PAM has somehow been equated to "remote server
authentication piece" - there is a lot more to PAM than the abillity to
easily do remote authentication.

http://www.kernel.org/pub/linux/libs/pam/whatispam.html
http://www.kernel.org/pub/linux/libs/pam/FAQ


-- 
Dominic J. Eidson
                                        "Baruk Khazad! Khazad ai-menu!" - Gimli
-------------------------------------------------------------------------------
http://www.the-infinite.org/              http://www.the-infinite.org/~dominic/


In response to

Responses

pgsql-hackers by date

Next:From: Dominic J. EidsonDate: 2001-06-12 17:29:04
Subject: Re: Patch to include PAM support...
Previous:From: Peter EisentrautDate: 2001-06-12 17:12:58
Subject: Re: Patch to include PAM support...

pgsql-patches by date

Next:From: Dominic J. EidsonDate: 2001-06-12 17:29:04
Subject: Re: Patch to include PAM support...
Previous:From: Peter EisentrautDate: 2001-06-12 17:12:58
Subject: Re: Patch to include PAM support...

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group