Peter Eisentraut <peter_e@gmx.net> writes:
> The interaction that a PAM stack can initiate is limited to prompting for
> one or more values and getting strings as an answer.
We could do that full-up, if only the FE/BE protocol included a prompt
string in the outgoing password request. However, given the difficulty
of reprogramming clients to cope with multiple password challenges,
you're probably right that handling the single-password case without
any protocol or client API change is the wiser course.
However, I'm still quite concerned about letting the postmaster ignore
its other clients while it's executing a PAM auth cycle that will
invoke who-knows-what processing. What's your take on that point?
regards, tom lane