Skip site navigation (1) Skip section navigation (2)

Re: Patch to include PAM support...

From: "Dominic J(dot) Eidson" <sauron(at)the-infinite(dot)org>
To: Peter Eisentraut <peter_e(at)gmx(dot)net>
Cc: Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>, pgsql-patches(at)postgresql(dot)org
Subject: Re: Patch to include PAM support...
Date: 2001-06-12 17:29:04
Message-ID: Pine.LNX.4.21.0106121221010.6822-100000@morannon.the-infinite.org (view raw or flat)
Thread:
Lists: pgsql-hackerspgsql-patches
On Tue, 12 Jun 2001, Peter Eisentraut wrote:

> Bruce Momjian writes:
> > OK, care to give a thumbs up on the patch?
> >
> > 	http://candle.pha.pa.us/cgi-bin/pgpatches
> 
> >From static inspection I have some doubts about whether this patch would
> operate correctly.  The way it is implemented is that if the backend is
> instructed to use PAM authentication it pretends to the frontend that
> password authentication is going on.  This would probably work correctly

Correct - this was to save code duplication - since the frontend steps for
password authentication are the same, whether you're authenticating to
global/pg_pwd, or handing off the username/password processing to PAM.

> if your PAM setup is that you require exactly one password from the user.
> But if the PAM setup does not require a password (Kerberos, rhosts
> modules?) it would involve a useless exchange (and possibly prompt) for a

This works fine - if it doesn't require a password, it won't get to the
"password prompt" step inside the conversation function, and ends up just
returning "success".

> password.  More importantly, though, if the PAM configuration requires
> more than one password (perhaps the password is due to be changed), this
> implementation will fail (to authenticate).

Typical use of a database, is from a non-interactive interface (script,
application, et al), where you aren't given the abillity to enter a second
password in the first place. Granted, this could be implemented - but my
goal was to emulate the existing libpq authentication process (which only
allows for the transmission of one password for all (the one?) of the
existing authentication methods that utilize passwords.

In all of the other remote authentication pieces that I have worked
with/used (radius, tacacs, etc) - if your password is in need to be
changed and/or expired - your authentication just fails.

> Dominic, any comments?

-- 
Dominic J. Eidson
                                        "Baruk Khazad! Khazad ai-menu!" - Gimli
-------------------------------------------------------------------------------
http://www.the-infinite.org/              http://www.the-infinite.org/~dominic/


In response to

Responses

pgsql-hackers by date

Next:From: Mikheev, VadimDate: 2001-06-12 17:30:27
Subject: RE: AW: Postgres Replication
Previous:From: Dominic J. EidsonDate: 2001-06-12 17:19:59
Subject: Re: Patch to include PAM support...

pgsql-patches by date

Next:From: Bruce MomjianDate: 2001-06-12 17:37:39
Subject: Re: DROP CONSTRAINT (UNIQUE) preliminary support
Previous:From: Dominic J. EidsonDate: 2001-06-12 17:19:59
Subject: Re: Patch to include PAM support...

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group