Tom Lane writes:
> The larger issue is how a PAM auth method of unknown characteristics
> is going to fit into our existing FE/BE protocol. It would seem to me
> that a protocol extension will be required. Lying to the frontend about
> what is happening is very unlikely to prove workable in the long run.
> What if the selected PAM auth method requires the client side to respond
> in some special way?
The interaction that a PAM stack can initiate is limited to prompting for
one or more values and getting strings as an answer. The PAM-using
application registers a "conversation function" callback, which is
responsible for issuing the prompt and getting at the data in an
application-specific manner. Ideally, the libpq protocol and API would be
extended to support this generality, but based on Dominic's comments the
password exchange would work to support the useful subset of this
functionality without any protocol or API changes.
Most of the time, PAM is used as a wrapper around some password database
like NIS or LDAP (or maybe even PostgreSQL).
--
Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
