Re: pam auth - add rhost item

On Fri, Oct 16, 2015 at 2:47 PM, Euler Taveira <euler(at)timbira(dot)com(dot)br> wrote:

> On 15-10-2015 05:41, kolo hhmow wrote:
>
>> I have already explained this in my previous post. Did you read this?
>>
> >
> Yes, I do.
>
> So why postgresql give users an abbility to use a pam modules, when in
>> other side there is advice to not use them?
>> Anyway.
>>
> >
> Where is such advise? I can't see it in docs [1].
>

Not in docs. You gave such advice:
"Therefore, advise PAM users to use HBA is a way to not complicate the
actual feature".

>
> I do not see any complication with this approach. Just use one
>> configuration entry in pg_hba.conf, and rest entries in some database
>> backend of pam module, which is most convenient with lot of entries than
>> editing pg_hba.conf.
>>
>> Why don't you use a group role? I need just one entry in pg_hba.conf.
>
>
> [1]
> http://www.postgresql.org/docs/current/static/auth-methods.html#AUTH-PAM
> [2] http://www.postgresql.org/docs/current/static/role-membership.html
>
>
> Because cannot restrict from what ip address client can connet in such way.
You can restrict only whole group, not just individual member of such
group, or I misunderstand something.

>
>

> --
> Euler Taveira Timbira - http://www.timbira.com.br/
> PostgreSQL: Consultoria, Desenvolvimento, Suporte 24x7 e Treinamento
>