Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?
| От | Tim Watts |
|---|---|
| Тема | Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting? |
| Дата | |
| Msg-id | 5150610E.3090706@kcl.ac.uk обсуждение исходный текст |
| Ответ на | Postgresql 8.4 GSSAPI auth with fallback to password prompting? (Tim Watts <tim.j.watts@kcl.ac.uk>) |
| Список | pgsql-admin |
On 25/03/13 13:25, Stephen Frost wrote: > Tim, > > * Tim Watts (tim.j.watts@kcl.ac.uk) wrote: >> I would have to respectfully take another point of view: that that >> particular judgement is probably better placed with the sysadmin >> rather than a blanket decision by the devs. > > It's not a blanket decision by any means- the current situation is that > such an option doesn't exist. It's not "it exists, but we disabled it > because we felt like it." > > Were someone to write the code to support such an option, it's entirely > possible it'd get committed (though likely with strong caveats about its > use in the documentation). That's totally fair... Not sure if I could. I hacked an option into Samba from a cold start once. On an equal footing, OpenLDAP's source code totally defeated me ;-> I might have a look to see if it looks "trivial" or "hard". >> Reason: Whilst the argument is solid in an ideal world (all clients >> are part of the kerberos realm), in reality it means that I cannot >> gain partial security improvements and I have to leave it running >> with PAM auth which ensures that passwords are chucked around 100% >> of the time. > > The pg_hba.conf allows you to migrate users or sets of users at a time. > Having a fall-back mechanism if Kerberos doesn't work is a different > thing. My experience has been that all clients (or at least, all in a > given IP range or for a set of users) *are* part of the Kerberos realm > because they're coming from Active Directory or another entrenched > Kerberos installation. That's specifically because that's how > Kerberos is intended to work and how it provides a strong > authentication mechanism. I think that laptops[1] and "BYOD" (Bring your own device, eg *pads) are going to make that scenario less common. [1] OK - it is perfectly possible to have a managed laptop. But it's harder than a managed desktop so I've not seen it outside of very large corporations with draconian policies on using their and only their devices. >> But it would be nice to be able to use kerberos tickets *where >> available* and fallback to password-interactive login where not. > > And I continue to contend that this is a very bad idea. But less bad than not using kerberos for anything... Cheers Tim -- Tim Watts Tel (VOIP): +44 (0)1580 848360 Systems Manager Digital Humanities, King's College London Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/ Personal Blog: http://squiddy.blog.dionic.net/ "She got her looks from her father. He's a plastic surgeon."
В списке pgsql-admin по дате отправления: