Postgresql 8.4 GSSAPI auth with fallback to password prompting?

Hi,

Pretty sure this has a yes or no answer (and google+postgres docs is
suggesting "no", but I thought it worth asking the experts )...



Is it possible to specify GSSAPI auth (with MIT kerberos as the backend)
but get Postgresql to fallback to prompting for a password if a kerberos
ticket cannot be supplied by the client - eg because the client cannot
do GSSAPI or because the client is not part of the kerberos realm?

A bit like how OpenSSH server can try multiple auth methods
transparantly until one works,

eg GSSAPI->PubKey->Password-interactive->FAIL



Snippet from my pg_hba.conf:

#1# host    all         +role_users     0/0                     gss
#2# host    all         +role_users     0/0                     pam
     host    all         +role_apps      0/0                     md5
     host    all         all             0/0                     reject

#1# and #2# both work independently when uncommented. "role_users" is
used as a grouping for real user accounts vs application/script accounts
which are in "role_apps" and will always use local Postgresql
authentication.

It would be really nice if the gss method could fallback to asking for a
password or if it were possible to try gss then pam.

Maybe it is but I missed something?


Any answers, even a definitive negative, would be most welcome :)

Cheers!

Tim

--
Tim Watts                               Tel (VOIP): +44 (0)1580 848360
Systems Manager              Digital Humanities, King's College London

Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/
Personal Blog:                         http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage