Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?
| От | Tim Watts |
|---|---|
| Тема | Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting? |
| Дата | |
| Msg-id | 5150659E.8070401@kcl.ac.uk обсуждение исходный текст |
| Ответ на | Postgresql 8.4 GSSAPI auth with fallback to password prompting? (Tim Watts <tim.j.watts@kcl.ac.uk>) |
| Ответы |
Re: Postgresql 8.4 GSSAPI auth with fallback to password
prompting?
|
| Список | pgsql-admin |
On 25/03/13 14:31, Tom Lane wrote: > Stephen Frost <sfrost@snowman.net> writes: >> * Tim Watts (tim.j.watts@kcl.ac.uk) wrote: >>> I would have to respectfully take another point of view: that that >>> particular judgement is probably better placed with the sysadmin >>> rather than a blanket decision by the devs. > >> It's not a blanket decision by any means- the current situation is that >> such an option doesn't exist. It's not "it exists, but we disabled it >> because we felt like it." > >> Were someone to write the code to support such an option, it's entirely >> possible it'd get committed (though likely with strong caveats about its >> use in the documentation). > > I'm not sure it would. Allowing a fallback would amount to a protocol > change, meaning that old clients might fail in strange ways. You'd > need a lot stronger case than has been made here to justify dealing > with that. > Just had a look at a non SSL psql connection with wireshark: The username is offered. Then the server comes back with: "Type: Authentication request" "Authentication type: Plaintext password (3)" So clearly it's not as simple as the client offering what it feels like. And whilst I assume it might be possible for the server to have a new code for "Authentication type: GSSAPI with Password-Interactive-Fallback" that's not going to be implicitly backwardly compatible. Tricky I agree... I presume the protocol does not allow the server to send a succession of "Type: Authentication request" packets with different Authentication types until it deems that one is acceptable? BTW - I am not seriously proposing this - just for a bit of idea banter and better understanding by me. If you've all got better things to do, ignore me :-o Cheers, Tim -- Tim Watts Tel (VOIP): +44 (0)1580 848360 Systems Manager Digital Humanities, King's College London Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/ Personal Blog: http://squiddy.blog.dionic.net/ "A fanatic is one who can't change his mind and won't change the subject."
В списке pgsql-admin по дате отправления: