| From: | Richard Troy <rtroy(at)ScienceTools(dot)com> |
|---|---|
| To: | Magnus Hagander <mha(at)sollentuna(dot)net> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Martijn van Oosterhout <kleptog(at)svana(dot)org>, "Henry B(dot) Hotz" <hotz(at)jpl(dot)nasa(dot)gov>, <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Design Considerations for New Authentication Methods |
| Date: | 2006-11-02 20:26:58 |
| Message-ID: | Pine.LNX.4.33.0611021214170.1126-100000@denzel.in |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, 2 Nov 2006, Magnus Hagander wrote:
> >
> > I expect we'll need a mapping of some sort, or perhaps a
> > sasl_regexp or similar to what is done in OpenLDAP. I don't
> > recall PG supporting using the DN from a client cert in an
> > SSL connection as a PG username but perhaps I missed it somewhere...
>
> You can't today.
> If we want to add username mapping in SASL or whatever, it might be a
> good idea to look at generalizing the authuser-to-dbuser mapping stuff
> (like we have for identmap now) into something that can be used for all
> external auth methods. Instead of inventing one for every method.
>
> //Magnus
Well, there's simply no need. While I can agree that more could be done,
I'm not convinced there's a need because what we have now works fine. Let
me support my view by stating first that I perceive that combining the
conception of encrypting a communications channel with user authentication
to be a very poor choice. I gather from the paragraph above that this is a
forgone conclusion. Appologies if I'm mistaken.
Just so my point - that another strategy is not needed - is understood,
let's agree that SSL is just preventing sniffers from capturing whatever
else goes on in "our conversation." Great. What's inside that
communication? Why, there's a perfectly workable username/password
authentication that happens! Sure, someone could steal that data somehow
and break in, but that requires one of the two systems to be breached, and
that's a security problem that's out of scope for Postgres.
Would signed certificates be preferred? Well, sure, they're nice. I don't
object, and in fact welcome some improvements here. For example, I'd love
the choice of taking an individual user's certificate and authenticating
completely based upon that. However, while this _seems_ to simplify
things, it really just trades off with the added cost of managing those
certs - username/password is slam-dunk simple and has the advantage that
users can share one authentication.
Unless I've really overlooked something basic, there's nothing lacking in
the existing scheme...
Richard
--
Richard Troy, Chief Scientist
Science Tools Corporation
510-924-1363 or 202-747-1263
rtroy(at)ScienceTools(dot)com, http://ScienceTools.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nolan Cafferky | 2006-11-02 20:37:33 | Re: Coding style question |
| Previous Message | Stephen Frost | 2006-11-02 20:25:00 | Re: Design Considerations for New Authentication Methods |