Re: Indent authentication overloading - Mailing list pgsql-hackers

From Josh Berkus
Subject Re: Indent authentication overloading
Date
Msg-id 4CE56A09.3080204@agliodbs.com
Whole thread Raw
In response to Re: Indent authentication overloading  (Stuart Bishop <stuart@stuartbishop.net>)
Responses Re: Indent authentication overloading
Re: Indent authentication overloading
List pgsql-hackers
> We use it. Do you have an alternative that doesn't lower security
> besides Kerberos? Anti-ident arguments are straw man arguments - "If
> you setup identd badly or don't trust remote root or your network,
> ident sucks as an authentication mechanism".

Actually, you're trusting that nobody can add their own machine as a 
node on your network.  All someone has to do is plug their linux laptop 
into a network cable in your office and they have free access to the 
database.

> Ident is great as you don't have to lower security by dealing with
> keys on the client system (more management headaches == lower
> security), or worry about those keys being reused by accounts that
> shouldn't be reusing them. Please don't deprecate it unless there is
> an alternative. And if you are a pg_pool or pgbouncer maintainer,
> please consider adding support :)

I don't think anyone is talking about eliminating it, just 
distinguishing ident-over-TCP from unix-socket-same-user, which are 
really two different authentication mechanisms.

HOWEVER, I can't see any way of doing this which wouldn't cause a 
significant amount of backwards-compatibility confusion.  Given that 
users can distinguish between local and TCP ident in pg_hba.conf already 
(and the default pg_hba.conf does) it is worth the confusion it will cause?


--                                   -- Josh Berkus                                     PostgreSQL Experts Inc.
                           http://www.pgexperts.com
 


pgsql-hackers by date:

Previous
From: Pavel Stehule
Date:
Subject: Re: final patch - plpgsql: for-in-array
Next
From: Pavel Stehule
Date:
Subject: Re: final patch - plpgsql: for-in-array