Hello everyone,
I’d like to submit the attached patch for feedback from the PostgreSQL community and potential future inclusion in the
codebase.The patch adds a new parameter to the RADIUS authentication method named “radiustimeout”, allowing the
databaseadministrator to configure the timeout in seconds to wait for responses from a configured RADIUS server. Until
now,this has been hardcoded to three seconds by the RADIUS_TIMEOUT define in auth.c. While this is usually sufficient
fortypical RADIUS server configurations, there are some more unusual configurations where a higher timeout is required.
Examplesinclude:
- Authenticating against a RADIUS server over a high latency link
- Authenticating against a RADIUS server that is performing additional out-of-band authentication
The latter case is applicable to a server I admin and spurred the development of this patch. We implemented
multi-factorauthentication for user access to a sensitive database via a RADIUS server implementation which performs
thestandard username & password verification, and if it succeeds, subsequently performs a second factor of
authenticationvia a configured mobile app. The RADIUS response confirming successful authentication is only returned
afterboth authentication factors have completed. In our deployment, a timeout of 60 seconds seems to work well, but
certainlythree seconds is not at all workable.
Thanks in advance for any and all feedback.
Kind regards,
-SDL