Re: Kerberos as source of user name? (Re: [BUGS] segfault in psql on x86_64) - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Kerberos as source of user name? (Re: [BUGS] segfault in psql on x86_64)
Date
Msg-id 4237.1076266466@sss.pgh.pa.us
Whole thread Raw
In response to Re: Kerberos as source of user name? (Re: [BUGS] segfault in psql on x86_64)  (Greg Stark <gsstark@mit.edu>)
List pgsql-hackers
Greg Stark <gsstark@mit.edu> writes:
> In fact I think there's something a little backwards about deciding on a
> default username in advance and then trying various authentication methods.

Perhaps, but we're stuck with that without a massive (and non backwards
compatible) redesign of the connection protocol.  libpq has to send a
connection-request packet that includes the username before it knows
which auth method will be selected.  There are people around here who
consider it a feature that pg_hba.conf can base the decision which auth
method to use on the supplied username...

> In my case I have a kerberos principal gsstark@ATHENA.MIT.EDU and a local
> username of "stark".

AFAICS libpq doesn't have any very principled way to choose which of
those to use as default username.  But I'd prefer to see it make the
same choice whether it's compiled with kerberos support or not.  The
present behavior doesn't seem to me to satisfy the principle of least
astonishment.

In your situation, if you wanted to log in using kerberos authentication
then you'd probably end up setting PGUSER=gsstark to get the right thing
to happen.
        regards, tom lane


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: RFC: Security documentation
Next
From: Tom Lane
Date:
Subject: Re: session persistent data for plperl