Re: Patch to include PAM support... - Mailing list pgsql-patches

From Peter Eisentraut
Subject Re: Patch to include PAM support...
Date
Msg-id Pine.LNX.4.30.0106122149350.756-100000@peter.localdomain
Whole thread Raw
In response to Re: Patch to include PAM support...  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: Patch to include PAM support...
List pgsql-patches
Tom Lane writes:

> The larger issue is how a PAM auth method of unknown characteristics
> is going to fit into our existing FE/BE protocol.  It would seem to me
> that a protocol extension will be required.  Lying to the frontend about
> what is happening is very unlikely to prove workable in the long run.
> What if the selected PAM auth method requires the client side to respond
> in some special way?

The interaction that a PAM stack can initiate is limited to prompting for
one or more values and getting strings as an answer.  The PAM-using
application registers a "conversation function" callback, which is
responsible for issuing the prompt and getting at the data in an
application-specific manner.  Ideally, the libpq protocol and API would be
extended to support this generality, but based on Dominic's comments the
password exchange would work to support the useful subset of this
functionality without any protocol or API changes.

Most of the time, PAM is used as a wrapper around some password database
like NIS or LDAP (or maybe even PostgreSQL).

--
Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter


pgsql-patches by date:

Previous
From: Marko Kreen
Date:
Subject: Re: reset all update
Next
From: Tom Lane
Date:
Subject: Re: take 2: show all / reset all