Re: [HACKERS] Solution to the pg_user passwd problem !?? (c)

Goran Thyni <goran@bildbasen.se> writes:

> IMHO, even Kerberous should be removed.

No, it should be fixed, not removed.  I would very much like to use krb5
authentication.

My main problem with the whole authentication system is that there can only
be one global method.  That is, everything is password based, on one
password per user.

I would think a good method would have the (username, auth-data) stored
together, but you could have multiple (username, auth-data) tuples.  For
instance, I might have a Kerberos5 authentication:

    usename        authtype    authdata
    ---------------    ---------------    ------------------------------
    explorer    krb5        explorer@FLAME.ORG
    explorer    md5        4f1929cbca91deadbeef0123...
    explorer    cryptpw        UNIX-standard crypted string
    explorer    plainpw        password

Then I can control how someone connects down to a method.  I could
allow different methods for different trust levels.  I might trust my
local, server machine with just a password, but deny access to the rest
of the net unless they use Kerberos5.

--Michael