Skip site navigation (1) Skip section navigation (2)

Re: "Optional ident" authentication

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: "Florian G(dot) Pflug" <fgp(at)phlo(dot)org>, "Jeroen T(dot) Vermeulen" <jtv(at)xs4all(dot)nl>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: "Optional ident" authentication
Date: 2006-11-28 15:56:02
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
Andrew Dunstan <andrew(at)dunslane(dot)net> writes:
> Tom Lane wrote:
>> Then you get into the problem that it has to work for *all* auth
>> methods, which in general it will not, because the client probably isn't
>> prepared for multiple auth challenges.

> Yes, if we did that we'd probably have to fix libpq to allow for it (and 
> any native protocol implementations such as JDBC). Can the wire protocol 
> handle it?

Not really --- the problem is what does a client do if faced with an
unanswerable challenge, eg password requested when it has no password.
libpq currently just disconnects.  You could maybe kluge it to send back
an empty password or some such, but it'd be better if the protocol had
an explicit "fail" response.  In any case, "let's fix all the clients"
isn't very practical --- what of clients running older copies of libpq?

			regards, tom lane

In response to

pgsql-hackers by date

Next:From: Chris BrowneDate: 2006-11-28 15:59:23
Subject: Re: FAQs and Port Status
Previous:From: Peter EisentrautDate: 2006-11-28 15:51:35
Subject: Short writes

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group