Skip site navigation (1) Skip section navigation (2)

Doing authentication in backend

From: Peter Eisentraut <peter_e(at)gmx(dot)net>
To: PostgreSQL Development <pgsql-hackers(at)postgresql(dot)org>
Subject: Doing authentication in backend
Date: 2001-06-14 16:31:54
Message-ID: Pine.LNX.4.30.0106141817590.2008-100000@peter.localdomain (view raw, whole thread or download thread mbox)
Thread:
Lists: pgsql-hackers
If we did this the straightforward way (exchange authentication packets
after fork()) then rogue clients could connect, start a backend, twiddle
thumbs, never finish the authentication exchange, meanwhile having filled
up the limit on the number of connections.  Somehow the backends would
have to report back to the postmaster that the authentication passed.
But then an attacker could easily fill up the system's process table with
this approach.  If you in turn put a cap on that to save your system at
large, you're back to having DoS'ed your database server.

Then you would have to put a timeout on the completion of the
authentication sequence.  This would be a fairly tricky thing to configure
given the various choices of ways to authenticate, including interactive
ones.

ISTM that there is some merit in having authentication happen *before*
doing much else, especially allocating per-connection resources.

Comments?

-- 
Peter Eisentraut   peter_e(at)gmx(dot)net   http://funkturm.homeip.net/~peter


Responses

pgsql-hackers by date

Next:From: Bruce MomjianDate: 2001-06-14 16:36:48
Subject: Re: Removal of temp tables
Previous:From: Tom LaneDate: 2001-06-14 15:23:29
Subject: Re: [PATCHES] Removal of temp tables

Privacy Policy | About PostgreSQL
Copyright © 1996-2018 The PostgreSQL Global Development Group