Thread: Re: Debian's PostgreSQL packages
"J.H.M. Dassen (Ray)" wrote: >> and it was never submitted to us a a patch. > >According to the README it was. Oliver, could you comment on this please? It was, a couple of months back. Peter made some criticism of its use of autoconf, which I have changed. I have not resubmitted the patch because the core team seemed to think it was not sufficiently portable. If people want to include it in the main release, I will resubmit a revised patch. -- Oliver Elphick Oliver.Elphick@lfix.co.uk Isle of Wight http://www.lfix.co.uk/oliver PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47 GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C ======================================== "The Spirit of the Lord is upon me, because he hath anointed me to preach the gospel to the poor; he hath sent me to heal the brokenhearted, to preach deliverance to the captives, and recovering of sight to the blind, to set at liberty them that are bruised..." Luke 4:18
Oliver Elphick writes: > "J.H.M. Dassen (Ray)" wrote: > >> and it was never submitted to us a a patch. > > > >According to the README it was. Oliver, could you comment on this please? > > It was, a couple of months back. Peter made some criticism of its use of > autoconf, which I have changed. I have not resubmitted the patch because > the core team seemed to think it was not sufficiently portable. If people > want to include it in the main release, I will resubmit a revised patch. The whole authentication process has been rewritten in the meantime, so you might have some work to do. I think the patch was okay in principle. It's not any less "portable" than ident when you don't have an ident server running. -- Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
Oliver Elphick writes:
>> It was, a couple of months back. Peter made some criticism of its use of
>> autoconf, which I have changed. I have not resubmitted the patch because
>> the core team seemed to think it was not sufficiently portable.
I think there was some questioning of whether the code could run on
enough platforms to make it worth carrying in the main sources. Could
someone refresh my memory on which platforms can support this method?
As long as it's useful on some reasonable subset of platforms, and can
be autoconf'ed out on the rest, I don't have an objection to adding it.
regards, tom lane
> "J.H.M. Dassen (Ray)" wrote: > >> and it was never submitted to us a a patch. > > > >According to the README it was. Oliver, could you comment on this please? > > It was, a couple of months back. Peter made some criticism of its use of > autoconf, which I have changed. I have not resubmitted the patch because > the core team seemed to think it was not sufficiently portable. If people > want to include it in the main release, I will resubmit a revised patch. I think our current idea is to have people run local ident servers to handle this. We don't have any OS-specific stuff in pg_hba.conf and I am not sure if we want to add that complexity. What do others think? -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
Bruce Momjian writes: > > "J.H.M. Dassen (Ray)" wrote: > > >> and it was never submitted to us a a patch. > > > > > >According to the README it was. Oliver, could you comment on this please? > > > > It was, a couple of months back. Peter made some criticism of its use of > > autoconf, which I have changed. I have not resubmitted the patch because > > the core team seemed to think it was not sufficiently portable. If people > > want to include it in the main release, I will resubmit a revised patch. > > I think our current idea is to have people run local ident servers to > handle this. We don't have any OS-specific stuff in pg_hba.conf and I > am not sure if we want to add that complexity. What do others think? This is not any less "specific" than SSL or Kerberos. Note that opening a TCP/IP socket already opens a theoretical hole to the world. Unix domain is much safer. -- Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
> Bruce Momjian writes: > > > > "J.H.M. Dassen (Ray)" wrote: > > > >> and it was never submitted to us a a patch. > > > > > > > >According to the README it was. Oliver, could you comment on this please? > > > > > > It was, a couple of months back. Peter made some criticism of its use of > > > autoconf, which I have changed. I have not resubmitted the patch because > > > the core team seemed to think it was not sufficiently portable. If people > > > want to include it in the main release, I will resubmit a revised patch. > > > > I think our current idea is to have people run local ident servers to > > handle this. We don't have any OS-specific stuff in pg_hba.conf and I > > am not sure if we want to add that complexity. What do others think? > > This is not any less "specific" than SSL or Kerberos. Note that opening a > TCP/IP socket already opens a theoretical hole to the world. Unix domain > is much safer. You can install SSL/Kerberos on any Unix, and many come pre-installed. You can't add unix-domain socket user authentication to any OS. I assume most OS's have 127.0.0.1 set as loopback so there shouldn't be a hole: 127 127.0.0.1 UGRS 4352 lo0 127.0.0.1 127.0.0.1 UH 4352 lo0 However, the security issue may make it worthwhile. Which OS's support user authentication again, and can we test via configure? Maybe we can strip out the mention in the pg_hba.conf file if it is not supported on that OS. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
Bruce Momjian wrote: >> > I think our current idea is to have people run local ident servers to >> > handle this. We don't have any OS-specific stuff in pg_hba.conf and I >> > am not sure if we want to add that complexity. What do others think? >> >> This is not any less "specific" than SSL or Kerberos. Note that opening a >> TCP/IP socket already opens a theoretical hole to the world. Unix domain >> is much safer. > >You can install SSL/Kerberos on any Unix, and many come pre-installed. >You can't add unix-domain socket user authentication to any OS. > >I assume most OS's have 127.0.0.1 set as loopback so there shouldn't be >a hole: > >127 127.0.0.1 UGRS 4352 lo0 >127.0.0.1 127.0.0.1 UH 4352 lo0 > >However, the security issue may make it worthwhile. Which OS's support >user authentication again, and can we test via configure? Maybe we can >strip out the mention in the pg_hba.conf file if it is not supported on >that OS. The security issue is why I developed it. There were complaints from people who did not want to have identd running at all. I think the feature is available in Linux, Solaris and some BSD. It can be tested for by whether SO_PEERCRED is defined in sys/socket.h. I don't see the need to strip mention from the comments in pg_hba.conf. The situation is no different from those systems which do not have Kerberos or SSL available. -- Oliver Elphick Oliver.Elphick@lfix.co.uk Isle of Wight http://www.lfix.co.uk/oliver PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47 GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C ======================================== "I waited patiently for the LORD; and he inclined unto me, and heard my cry. He brought me up also out of an horrible pit, out of the miry clay, and set my feet upon a rock, and established my goings. And he hath put a new song in my mouth, even praise unto our God. Many shall see it, and fear, and shall trust in the LORD." Psalms 40:1-3