| From: | Andreas Karlsson <andreas(at)proxel(dot)se> |
|---|---|
| To: | Thomas Munro <thomas(dot)munro(at)gmail(dot)com>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: RADIUS tests and improvements |
| Date: | 2023-01-03 21:03:55 |
| Message-ID: | 2a4f355d-92e0-f4b7-e55b-17dc877c3a0d@proxel.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 1/3/23 04:11, Thomas Munro wrote:
> Here's a draft patch to tackle a couple of TODOs in the RADIUS code in auth.c.
Nice to see someone working on this! I know of one company which could
have used the configurable timeout for radius because the 3 second
timeout is too short for 2FA. I think they ended up using PAM or some
other solution in the end, but I am not 100% sure.
> [...] While adding
> the GUC I couldn't help wondering why RADIUS even needs a timeout
> separate from authentication_timeout; another way to go here would be
> to remove it completely, but that'd be a policy change (removing the 3
> second timeout we always had). Thoughts?
It was some time since I last looked at the code but my impression was
that the reason for having a separate timeout is that you can try the
next server after the first one timed out (multiple radius servers are
allowed). But I wonder if that really is a useful feature or if someone
just was too clever or it just was an accidental feature.
Andreas
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jacob Champion | 2023-01-03 21:06:16 | Re: [PATCH] Add `verify-system` sslmode to use system CA pool for server cert |
| Previous Message | Melanie Plageman | 2023-01-03 20:39:37 | Re: heapgettup refactoring |