Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting? - Mailing list pgsql-admin

From Tim Watts
Subject Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?
Date
Msg-id 5150659E.8070401@kcl.ac.uk
Whole thread Raw
In response to Postgresql 8.4 GSSAPI auth with fallback to password prompting?  (Tim Watts <tim.j.watts@kcl.ac.uk>)
Responses Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?
List pgsql-admin
On 25/03/13 14:31, Tom Lane wrote:
> Stephen Frost <sfrost@snowman.net> writes:
>> * Tim Watts (tim.j.watts@kcl.ac.uk) wrote:
>>> I would have to respectfully take another point of view: that that
>>> particular judgement is probably better placed with the sysadmin
>>> rather than a blanket decision by the devs.
>
>> It's not a blanket decision by any means- the current situation is that
>> such an option doesn't exist.  It's not "it exists, but we disabled it
>> because we felt like it."
>
>> Were someone to write the code to support such an option, it's entirely
>> possible it'd get committed (though likely with strong caveats about its
>> use in the documentation).
>
> I'm not sure it would.  Allowing a fallback would amount to a protocol
> change, meaning that old clients might fail in strange ways.  You'd
> need a lot stronger case than has been made here to justify dealing
> with that.
>

Just had a look at a non SSL psql connection with wireshark:

The username is offered. Then the server comes back with:

"Type: Authentication request"
"Authentication type: Plaintext password (3)"

So clearly it's not as simple as the client offering what it feels like.
And whilst I assume it might be possible for the server to have a new
code for

"Authentication type: GSSAPI with Password-Interactive-Fallback"

that's not going to be implicitly backwardly compatible.

Tricky I agree...

I presume the protocol does not allow the server to send a succession of
"Type: Authentication request" packets with different Authentication
types until it deems that one is acceptable?

BTW - I am not seriously proposing this - just for a bit of idea banter
and better understanding by me. If you've all got better things to do,
ignore me :-o

Cheers,

Tim



--
Tim Watts                               Tel (VOIP): +44 (0)1580 848360
Systems Manager              Digital Humanities, King's College London

Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/
Personal Blog:                         http://squiddy.blog.dionic.net/

"A fanatic is one who can't change his mind and won't change the subject."



pgsql-admin by date:

Previous
From: Tim Watts
Date:
Subject: Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?
Next
From: Stephen Frost
Date:
Subject: Re: Postgresql 8.4 GSSAPI auth with fallback to password prompting?