On 25/03/13 13:25, Stephen Frost wrote:
Tim,
* Tim Watts (tim.j.watts@xxxxxxxxx) wrote:
I would have to respectfully take another point of view: that that
particular judgement is probably better placed with the sysadmin
rather than a blanket decision by the devs.
It's not a blanket decision by any means- the current situation is that
such an option doesn't exist. It's not "it exists, but we disabled it
because we felt like it."
Were someone to write the code to support such an option, it's entirely
possible it'd get committed (though likely with strong caveats about its
use in the documentation).
That's totally fair... Not sure if I could. I hacked an option into
Samba from a cold start once. On an equal footing, OpenLDAP's source
code totally defeated me ;-> I might have a look to see if it looks
"trivial" or "hard".
Reason: Whilst the argument is solid in an ideal world (all clients
are part of the kerberos realm), in reality it means that I cannot
gain partial security improvements and I have to leave it running
with PAM auth which ensures that passwords are chucked around 100%
of the time.
The pg_hba.conf allows you to migrate users or sets of users at a time.
Having a fall-back mechanism if Kerberos doesn't work is a different
thing. My experience has been that all clients (or at least, all in a
given IP range or for a set of users) *are* part of the Kerberos realm
because they're coming from Active Directory or another entrenched
Kerberos installation. That's specifically because that's how
Kerberos is intended to work and how it provides a strong
authentication mechanism.
I think that laptops[1] and "BYOD" (Bring your own device, eg *pads) are
going to make that scenario less common.
[1] OK - it is perfectly possible to have a managed laptop. But it's
harder than a managed desktop so I've not seen it outside of very large
corporations with draconian policies on using their and only their devices.
But it would be nice to be able to use kerberos tickets *where
available* and fallback to password-interactive login where not.
And I continue to contend that this is a very bad idea.
But less bad than not using kerberos for anything...
Cheers
Tim
--
Tim Watts Tel (VOIP): +44 (0)1580 848360
Systems Manager Digital Humanities, King's College London
Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/
Personal Blog: http://squiddy.blog.dionic.net/
"She got her looks from her father. He's a plastic surgeon."
--
Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
