Re: How to deny user changing his own password?
| От | Bruno Wolff III |
|---|---|
| Тема | Re: How to deny user changing his own password? |
| Дата | |
| Msg-id | 20030530001729.GA4261@wolff.to обсуждение исходный текст |
| Ответ на | Re: How to deny user changing his own password? (nolan@celery.tssi.com) |
| Список | pgsql-general |
On Thu, May 29, 2003 at 17:09:18 -0500, nolan@celery.tssi.com wrote: > > I'm not sure 'ident' solves the problem any better than an embedded password > does, and the documentation on ident raises this red flag: If you want to run applications that connect to your DB from untrusted hosts there probably isn't any good solution. If you are connecting from untrusted networks, than you may want to set up an authenticated tunnel which you can then use for connecting to the DB. However, neither of these are the normal case. Ident authentication is better than password authentication because it is bound to the machine. Someone can't change it out from under or take it with them to use from another machine. > > This authentication method is therefore only appropriate for > closed networks where each client machine is under tight control > and where the database and system administrators operate in close > contact. In other words, you must trust the machine running the > ident server. Heed the warning: > > The Identification Protocol is not intended as an authorization > or access control protocol. --RFC 1413 Note that for applications running on the DB server you don't have to use an RFC 1413 server. On server common operating systems you can find out the user id of the process connecting to you via domain sockets. This is as good as whatever the user used to authenticate to the OS.
В списке pgsql-general по дате отправления: