If we did this the straightforward way (exchange authentication packets
after fork()) then rogue clients could connect, start a backend, twiddle
thumbs, never finish the authentication exchange, meanwhile having filled
up the limit on the number of connections. Somehow the backends would
have to report back to the postmaster that the authentication passed.
But then an attacker could easily fill up the system's process table with
this approach. If you in turn put a cap on that to save your system at
large, you're back to having DoS'ed your database server.
Then you would have to put a timeout on the completion of the
authentication sequence. This would be a fairly tricky thing to configure
given the various choices of ways to authenticate, including interactive
ones.
ISTM that there is some merit in having authentication happen *before*
doing much else, especially allocating per-connection resources.
Comments?
--
Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
