Re: Proposal: BSD Authentication support
| От | Marisa Emerson |
|---|---|
| Тема | Re: Proposal: BSD Authentication support |
| Дата | |
| Msg-id | 15384df31d8.e1eb1f4a78511.6788448249244038941@insec.sh обсуждение исходный текст |
| Ответ на | Re: Proposal: BSD Authentication support (Thomas Munro <thomas.munro@enterprisedb.com>) |
| Ответы |
Re: Proposal: BSD Authentication support
|
| Список | pgsql-hackers |
>Our usual wording is "the PostgreSQL user account". Perhaps we should >be more explicit about the fact that membership of this Unix group is >needed on *OpenBSD*, since other current or future BSD forks could >vary. I see that the specific reason this is needed on this OpenBSD >5.8 box is so that it can fork/exec the setuid login_XXX binaries that >live under /usr/libexec/auth. The BSD Authentication framework currently only exists on OpenBSD. I've added some explicit documentation that this mechanismis currently only supported on OpenBSD and I've tried to be a bit more explicit about the auth group as suggestedby Peter. >auth_userokay is called with a type of "pg-auth". I noticed from >looking at man page and source of some other applications that the >convention is usually a hardcoded string like "auth-myserver", >"auth-sockd", "auth-ssh", "auth-doas", "auth-popa3d" etc. So perhaps >we should have "auth-postgresql" (or "auth-postgres" or "auth-pgsql") >here? And as Peter E already said, that string should probably be >documented: it looks a bit like it is useful for allowing the >available authentication styles to be restricted or defaulted >specifically for PostgreSQL in login.conf based on that string. >(Though when I tried to set that up, it seemed to ignore my >possibly-incorrectly-specified rule asking it to use "reject" so I may >have misunderstood.) This is correct, although so far I've only tested using the default login class. The attached patch includes some more explicitdocumentation about this string. >The style argument is hard coded as NULL, as I see is the case in some >other applications. From the man page: "If style is not NULL, it >specifies the desired style of authentication to be used. If it is >NULL then the default style for the user is used. In this case, name >may include the desired style by appending it to the user's name with >a single colon (‘:’) as a separator." I wonder if such >user-controllable styles are OK (though I guess would require username >mapping to strip them off if we do want that as a feature). I wonder >if it should be possible to provide the style argument that we pass to >auth_userokay explicitly in pg_hba.conf, so that the DBA could >explicitly say BSD auth with style=radius. I've so far only tested passwd authentication. I'd be interested to test some of the other authentication styles, I thinkthis would be a useful feature.
Вложения
В списке pgsql-hackers по дате отправления: