> Bruce Momjian writes:
>
> > > "J.H.M. Dassen (Ray)" wrote:
> > > >> and it was never submitted to us a a patch.
> > > >
> > > >According to the README it was. Oliver, could you comment on this please?
> > >
> > > It was, a couple of months back. Peter made some criticism of its use of
> > > autoconf, which I have changed. I have not resubmitted the patch because
> > > the core team seemed to think it was not sufficiently portable. If people
> > > want to include it in the main release, I will resubmit a revised patch.
> >
> > I think our current idea is to have people run local ident servers to
> > handle this. We don't have any OS-specific stuff in pg_hba.conf and I
> > am not sure if we want to add that complexity. What do others think?
>
> This is not any less "specific" than SSL or Kerberos. Note that opening a
> TCP/IP socket already opens a theoretical hole to the world. Unix domain
> is much safer.
You can install SSL/Kerberos on any Unix, and many come pre-installed.
You can't add unix-domain socket user authentication to any OS.
I assume most OS's have 127.0.0.1 set as loopback so there shouldn't be
a hole:
127 127.0.0.1 UGRS 4352 lo0
127.0.0.1 127.0.0.1 UH 4352 lo0
However, the security issue may make it worthwhile. Which OS's support
user authentication again, and can we test via configure? Maybe we can
strip out the mention in the pg_hba.conf file if it is not supported on
that OS.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
