Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tim,

* Tim Watts (tim.j.watts@xxxxxxxxx) wrote:
> I would have to respectfully take another point of view: that that
> particular judgement is probably better placed with the sysadmin
> rather than a blanket decision by the devs.

It's not a blanket decision by any means- the current situation is that
such an option doesn't exist.  It's not "it exists, but we disabled it
because we felt like it."

Were someone to write the code to support such an option, it's entirely
possible it'd get committed (though likely with strong caveats about its
use in the documentation).

> Reason: Whilst the argument is solid in an ideal world (all clients
> are part of the kerberos realm), in reality it means that I cannot
> gain partial security improvements and I have to leave it running
> with PAM auth which ensures that passwords are chucked around 100%
> of the time.

The pg_hba.conf allows you to migrate users or sets of users at a time.
Having a fall-back mechanism if Kerberos doesn't work is a different
thing.  My experience has been that all clients (or at least, all in a
given IP range or for a set of users) *are* part of the Kerberos realm
because they're coming from Active Directory or another entrenched
Kerberos installation.  That's specifically because that's how
Kerberos is intended to work and how it provides a strong
authentication mechanism.

> But it would be nice to be able to use kerberos tickets *where
> available* and fallback to password-interactive login where not. 

And I continue to contend that this is a very bad idea.

	Thanks,

		Stephen

Attachment: signature.asc
Description: Digital signature


[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux