Re: Indent authentication overloading - Mailing list pgsql-hackers

From Magnus Hagander
Subject Re: Indent authentication overloading
Date
Msg-id AANLkTimnoQaKhnU3pTEUqt5RRS7zgjwE+nqHW4fnEZWo@mail.gmail.com
Whole thread Raw
In response to Re: Indent authentication overloading  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Indent authentication overloading
Re: Indent authentication overloading
List pgsql-hackers
On Thu, Nov 18, 2010 at 19:21, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Josh Berkus <josh@agliodbs.com> writes:
>>> We use it. Do you have an alternative that doesn't lower security
>>> besides Kerberos? Anti-ident arguments are straw man arguments - "If
>>> you setup identd badly or don't trust remote root or your network,
>>> ident sucks as an authentication mechanism".
>
>> Actually, you're trusting that nobody can add their own machine as a
>> node on your network.  All someone has to do is plug their linux laptop
>> into a network cable in your office and they have free access to the
>> database.
>
> You're assuming the OP is using ident for wild-card IP ranges rather
> than specific IP addresses.  I agree that ident is *hard* to set up
> securely, but that doesn't mean it's entirely insecure.

If you can get on the network, you can take out that single IP as
well, in most networks. (Yes, you can protect against that, but it's
not the default by any means). It takes a little bit more work, but
it's really not that hard.

OTOH, if you can get on the network in *that* way, you should be using
SSL or ipsec.

But I definitely agree that it can be used in secure ways, depending
on the circumstances. If it wans't clear, my "suggestion" to remove it
completely really wasn't serious.


>> I don't think anyone is talking about eliminating it, just
>> distinguishing ident-over-TCP from unix-socket-same-user, which are
>> really two different authentication mechanisms.
>
>> HOWEVER, I can't see any way of doing this which wouldn't cause a
>> significant amount of backwards-compatibility confusion.
>
> I thought the proposal on the table was to add "peer" (or some other
> name) to refer to the unix-socket auth method, and use that term
> preferentially in the docs, while continuing to accept "ident" as an
> old name for it.  Is that really too confusing?

Yes, that's the current proposal - and also have the system log that
"ident is deprecated, use peer" when it's found in the files.


--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Indent authentication overloading
Next
From: Tom Lane
Date:
Subject: Re: Indent authentication overloading