From: | Jon Jensen <jon(at)endpoint(dot)com> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Authentication drop-down? |
Date: | 2004-03-18 22:58:46 |
Message-ID: | Pine.LNX.4.58.0403182253360.3654@louche.swelter.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, 18 Mar 2004, Josh Berkus wrote:
> Jeremy handed me an interesting feature proposal at last night's SFPUG
> meeting.
>
> PG authentication methods ought to have drop-downs to other authentication
> methods, in the same manner as SSH and PAM.
>
> The idea would be this, if you had the following in your pg_hba.conf:
>
> somedb jeremy 23.165.22.198 255.255.255.255 kerberos
> somedb jeremy 23.165.22.198 255.255.255.255 md5
>
> Then, when jeremy tries to connect to somedb from 23.165.22.198, the system
> would first try kerberos authentication, and if that fails offer an md5
> password login. Only when the system ran out of applicable lines in
> pg_hba.conf would the user be rejected.
The case I ran into this morning where such an optional behavior would've
been handy is when I want to allow the "postgres" OS user to connect as Pg
user "postgres" without a password via ident checking, but allow anyone to
connect as Pg user "postgres" with a password, e.g.:
local all postgres ident sameuser
local all all md5
host all all 0.0.0.0 0.0.0.0 md5
What that makes easy is cron-driven vacuumdb or other maintenance calls
(where I can't give a password), or letting the root user su to postgres
and connect without needing to know the password, while still allowing
others to connect with a password.
Is there some other way to do what I'm looking for here without the
authentication method fallthrough Josh proposes?
Jon
From | Date | Subject | |
---|---|---|---|
Next Message | Andrew Dunstan | 2004-03-18 23:00:58 | Re: [HACKERS] compile warning in CVS HEAD |
Previous Message | Joseph Shraibman | 2004-03-18 22:55:22 | Will auto-cluster be in 7.5? |