Re: Allow peer/ident to fall back to md5?
| От | Josh Berkus |
|---|---|
| Тема | Re: Allow peer/ident to fall back to md5? |
| Дата | |
| Msg-id | 5451148E.4040502@agliodbs.com обсуждение исходный текст |
| Ответ на | Allow peer/ident to fall back to md5? (Craig Ringer <craig@2ndquadrant.com>) |
| Ответы |
Re: Allow peer/ident to fall back to md5?
|
| Список | pgsql-hackers |
On 10/29/2014 02:52 AM, Craig Ringer wrote: > On 10/29/2014 05:46 PM, Andres Freund wrote: >> I like this one. But then I perhaps edited too many pam configuration >> files. > > It seems good to me too. I haven't looked at how viable it is in > implementation terms. > > I think we could only properly support 'continue' on peer/ident in the > v3 protocol. With other protos we need to negotiate with the client > before we determine that we can't authenticate them and we send them an > auth failed message. > > I guess we could just send a different auth request to the client > instead of an auth failed message, but it might confuse clients that > aren't expecting it, and it'd make it harder to report the original auth > failure if we carry on to try something else. > > The advantage of doing it for peer/ident is that there's no conversation > with the client required, so the client never needs to know that we > considered peer/ident before falling back to something else. I don't see a problem with having a "continue" directive, and documenting that it only works with peer and ident. Maybe someday (protocol bump) we can have a way to make other methods continue, and then nobody will need to change their files to support the new way. -- Josh Berkus PostgreSQL Experts Inc. http://pgexperts.com
В списке pgsql-hackers по дате отправления: