Re: Patch to include PAM support...

Peter Eisentraut <peter_e@gmx.net> writes:
> ... More importantly, though, if the PAM configuration requires
> more than one password (perhaps the password is due to be changed), this
> implementation will fail (to authenticate).

I *think* that the FE protocol will support more than one round of
password challenge, although given the lack of any way for the PAM
module to direct what prompt is given, that is unlikely to work
pleasantly.

The larger issue is how a PAM auth method of unknown characteristics
is going to fit into our existing FE/BE protocol.  It would seem to me
that a protocol extension will be required.  Lying to the frontend about
what is happening is very unlikely to prove workable in the long run.
What if the selected PAM auth method requires the client side to respond
in some special way?

            regards, tom lane