| From: | Grzegorz Sampolski <grzsmp(at)gmail(dot)com> |
|---|---|
| To: | Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com> |
| Cc: | David Fetter <david(at)fetter(dot)org>, Grzegorz Sampolski <g(dot)sampolski(at)ogicom(dot)pl>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: pam auth - add rhost item |
| Date: | 2016-03-08 11:43:37 |
| Message-ID: | 56DEBAE9.9010306@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi Hari.
To use pam modules you can use whatever backend authentication method
you want.
This is example configuration:
Install this library https://github.com/pam-pgsql/pam-pgsql
Create some example database <database>, schema access and two tables:
pam_auth and pam_account with example defintion:
pam_account:
db_user character varying(16) NOT NULL,
host character varying(255) NOT NULL
pam_auth:
db_user character varying(16) NOT NULL,
password character varying(512) NOT NULL
Sample /etc/pam_pgsql.conf:
connect = dbname=<database> user=<user> password=<password>
auth_query = SELECT password FROM access.pam_auth WHERE db_user = %u LIMIT 1
acct_query = SELECT '0','0','' FROM access.pam_account WHERE db_user =
%u AND (host = %h OR %h LIKE host) ORDER BY host DESC LIMIT 1;
pw_type = crypt
Sample pam config /etc/pam.d/postgres_auth:
auth required pam_pgsql.so
account required pam_pgsql.so
Sample pg_hba.conf:
host samerole all 0.0.0.0/0 pam pamservice=postgres_auth
This will give you define access restriction from one host, group of
hosts, etc.
I will try to update documentation in regard to this chagnes, but please
take into account that my english isn't fluent so much. So if I'll do
some mistakes please correct me.
Regards.
Grzegorz Sampolski.
On 03/08/2016 05:30 AM, Haribabu Kommi wrote:
> On Tue, Dec 29, 2015 at 10:46 AM, Grzegorz Sampolski <grzsmp(at)gmail(dot)com> wrote:
>> Hi.
>> I thought link on commitfest to github url was sufficient.
>> Sorry. Attached new patch.
>
> I reviewed and tested the patch. With the addition of
> new RHOST member to the passed items in the PAM
> authentication doesn't have any impact with existing
> behavior.
>
> As Tomas said in up thread that RHOST is the item
> that I also that can be added to PAM authentication.
>
> I am not able to test PAM authentication using the
> RHOST, can you please let me know the way for
> the same?
>
> And also the patch lacks of documentation changes,
> As it adds the new pamusedns option and also it
> sends the RHOST, so the documentation needs to be
> updated.
>
> Regards,
> Hari Babu
> Fujitsu Australia
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Shulgin, Oleksandr | 2016-03-08 12:18:28 | Re: More stable query plans via more predictable column statistics |
| Previous Message | Andreas Joseph Krogh | 2016-03-08 09:53:39 | Exclude pg_largeobject form pg_dump |