Postgres Pro
Downloads
Home   >   mailing lists

Thread: Multiple auth types for a connection

Multiple auth types for a connection

From
Rob Cherry
Date:
Hi,

I am operating in an environment where we have regular users who will
authenticate via PAM and software users for automated processes that
would be more appropriate to authenticate via a password (encrypted or
not - irrelevant to this question).  I have taken a look through the
documentation and google and done some trial and error, but I dont seem
to be able to get this working for a single client to be able to use
either method.

My 2 guesses involved changing the $PGDATA$/pg_hba.conf to try these
options:

1:
host    all         all         0.0.0.0/0             pam,password

(also tried space seperated as well as comma seperated)

2:
host    all         all         0.0.0.0/0             pam
host    all         all         0.0.0.0/0             password

In both cases (neither caused an error) the first type wins and the
other gives access denied.

Does anyone know if it is possible to overload auth types like this such
that if pam fails password would be tried?

Many thanks in advance,

Rob Cherry

Re: Multiple auth types for a connection

From
Tom Lane
Date:
Rob Cherry <postgresadmin@lxrb.com> writes:
> Does anyone know if it is possible to overload auth types like this such
> that if pam fails password would be tried?

No, it's not, as per the Fine Manual:

: The first record with a matching connection type, client address,
: requested database, and user name is used to perform
: authentication. There is no "fall-through" or "backup": if one record is
: chosen and the authentication fails, subsequent records are not
: considered.  If no record matches, access is denied.

Your best bet is probably to list the automated users specifically in
a record that specifies password, and then put another record that
selects pam for everyone else.

            regards, tom lane

Re: Multiple auth types for a connection

From
Geoff Tolley
Date:
Tom Lane wrote:
> Rob Cherry <postgresadmin@lxrb.com> writes:
>> Does anyone know if it is possible to overload auth types like this such
>> that if pam fails password would be tried?
>
> No, it's not, as per the Fine Manual:

Provided that you don't care about the security and performance
implications of SSL vs non-SSL connectivity, wouldn't it be possible to
have something like:

hostnossl    all         all         0.0.0.0/0             krb5
hostssl      all         all         0.0.0.0/0             md5

... and then have sslmode set to prefer or allow on the client side?

Cheers,
Geoff