| From: | Josh Berkus <josh(at)agliodbs(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Indent authentication overloading |
| Date: | 2010-11-18 18:01:45 |
| Message-ID: | 4CE56A09.3080204@agliodbs.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> We use it. Do you have an alternative that doesn't lower security
> besides Kerberos? Anti-ident arguments are straw man arguments - "If
> you setup identd badly or don't trust remote root or your network,
> ident sucks as an authentication mechanism".
Actually, you're trusting that nobody can add their own machine as a
node on your network. All someone has to do is plug their linux laptop
into a network cable in your office and they have free access to the
database.
> Ident is great as you don't have to lower security by dealing with
> keys on the client system (more management headaches == lower
> security), or worry about those keys being reused by accounts that
> shouldn't be reusing them. Please don't deprecate it unless there is
> an alternative. And if you are a pg_pool or pgbouncer maintainer,
> please consider adding support :)
I don't think anyone is talking about eliminating it, just
distinguishing ident-over-TCP from unix-socket-same-user, which are
really two different authentication mechanisms.
HOWEVER, I can't see any way of doing this which wouldn't cause a
significant amount of backwards-compatibility confusion. Given that
users can distinguish between local and TCP ident in pg_hba.conf already
(and the default pg_hba.conf does) it is worth the confusion it will cause?
--
-- Josh Berkus
PostgreSQL Experts Inc.
http://www.pgexperts.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Pavel Stehule | 2010-11-18 18:03:28 | Re: final patch - plpgsql: for-in-array |
| Previous Message | Pavel Stehule | 2010-11-18 17:55:44 | Re: final patch - plpgsql: for-in-array |