Postgres Pro
Downloads
Home   >   mailing lists

Re: pam auth - add rhost item - Mailing list pgsql-hackers

From Grzegorz Sampolski
Subject Re: pam auth - add rhost item
Date
Msg-id 56DEBAE9.9010306@gmail.com
Whole thread Raw
In response to Re: pam auth - add rhost item  (Haribabu Kommi <kommi.haribabu@gmail.com>)
Responses Re: pam auth - add rhost item  (Haribabu Kommi <kommi.haribabu@gmail.com>)
List pgsql-hackers
Tree view 
Hi Hari.
To use pam modules you can use whatever backend authentication method
you want.

This is example configuration:

Install this library https://github.com/pam-pgsql/pam-pgsql
Create some example database <database>, schema access and two tables:
pam_auth and pam_account with example defintion:

pam_account:
db_user character varying(16) NOT NULL,
host character varying(255) NOT NULL

pam_auth:
db_user character varying(16) NOT NULL,
password character varying(512) NOT NULL

Sample /etc/pam_pgsql.conf:
connect = dbname=<database> user=<user> password=<password>
auth_query = SELECT password FROM access.pam_auth WHERE db_user = %u LIMIT 1
acct_query = SELECT '0','0','' FROM access.pam_account WHERE db_user =
%u AND (host = %h OR %h LIKE host) ORDER BY host DESC LIMIT 1;
pw_type = crypt

Sample pam config /etc/pam.d/postgres_auth:
auth    required        pam_pgsql.so
account required        pam_pgsql.so

Sample pg_hba.conf:
host samerole all 0.0.0.0/0 pam pamservice=postgres_auth

This will give you define access restriction from one host, group of
hosts, etc.


I will try to update documentation in regard to this chagnes, but please
take into account that my english isn't fluent so much. So if I'll do
some mistakes please correct me.

Regards.
Grzegorz Sampolski.

On 03/08/2016 05:30 AM, Haribabu Kommi wrote:
> On Tue, Dec 29, 2015 at 10:46 AM, Grzegorz Sampolski <grzsmp@gmail.com> wrote:
>> Hi.
>> I thought link on commitfest to github url was sufficient.
>> Sorry. Attached new patch.
> 
> I reviewed and tested the patch. With the addition of
> new RHOST member to the passed items in the PAM
> authentication doesn't have any impact with existing
> behavior.
> 
> As Tomas said in up thread that RHOST is the item
> that I also that can be added to PAM authentication.
> 
> I am not able to test PAM authentication using the
> RHOST, can you please let me know the way for
> the same?
> 
> And also the patch lacks of documentation changes,
> As it adds the new pamusedns option and also it
> sends the RHOST, so the documentation needs to be
> updated.
> 
> Regards,
> Hari Babu
> Fujitsu Australia
>

pgsql-hackers by date:

Previous
From: Amit Kapila
Date:
Subject: Re: Relation extension scalability
Next
From: "Shulgin, Oleksandr"
Date:
Subject: Re: More stable query plans via more predictable column statistics