Home > mailing lists

Re: pam auth - add rhost item - Mailing list pgsql-hackers

From	kolo hhmow
Subject	Re: pam auth - add rhost item
Date	October 16, 2015 16:11:52
Msg-id	CAN4hRaYH8VNW7137ApGj=MTeMAp3X8O4bKrSKW-gph7-4VidQQ@mail.gmail.com Whole thread Raw
In response to	Re: pam auth - add rhost item (Euler Taveira <euler@timbira.com.br>)
List	pgsql-hackers

Tree view

On Fri, Oct 16, 2015 at 2:47 PM, Euler Taveira <euler@timbira.com.br> wrote:

On 15-10-2015 05:41, kolo hhmow wrote:
I have already explained this in my previous post. Did you read this?
>
Yes, I do.

So why postgresql give users an abbility to use a pam modules, when in
other side there is advice to not use them?
Anyway.
>
Where is such advise? I can't see it in docs [1].

Not in docs. You gave such advice:
"Therefore, advise PAM users to use HBA is a way to not complicate the actual feature".

I do not see any complication with this approach. Just use one
configuration entry in pg_hba.conf, and rest entries in some database
backend of pam module, which is most convenient with lot of entries than
editing pg_hba.conf.

Why don't you use a group role? I need just one entry in pg_hba.conf.

[1] http://www.postgresql.org/docs/current/static/auth-methods.html#AUTH-PAM
[2] http://www.postgresql.org/docs/current/static/role-membership.html

Because cannot restrict from what ip address client can connet in such way.

You can restrict only whole group, not just individual member of such group, or I misunderstand something.

--
Euler Taveira Timbira - http://www.timbira.com.br/
PostgreSQL: Consultoria, Desenvolvimento, Suporte 24x7 e Treinamento

pgsql-hackers by date:

From: Bruce Momjian
Date: 16 October 2015, 16:04:10
Subject: Re: TODO list updates

From: Tom Lane
Date: 16 October 2015, 16:28:35
Subject: Re: Error creating gin index on jsonb columns

Re: pam auth - add rhost item - Mailing list pgsql-hackers

Previous

Next