Thread: Re: [PATCHES] Allow IDENT authentication on local connections (Linux only)
[ redirected to pgsql-hackers for comment ]
Helge Bahmann <bahmann@math.tu-freiberg.de> writes:
> On Tue, 31 Jul 2001, Tom Lane wrote:
>> There is a more complete version of this capability in the Debian patch
>> set. I think we've been waiting for Oliver to pull it out and submit it
>> as a patch...
> Ok found it; uses "peer" as a keyword instead of "ident" but basically
> does the same thing. I think you can discard my patch then.
Well, we need to talk about that. I like your idea of making ident auth
"just work" on local connections better than Oliver's approach of
inventing a separate auth-type keyword. So some kind of merger of the
two patches seems attractive to me. But Oliver may feel that he has to
continue to support the "peer" keyword on Debian anyway, for backwards
compatibility. If so, do we want different ways of doing the same thing
on different distros, or should we just follow the Debian precedent to
keep things ugly-but-consistent?
regards, tom lane
> [ redirected to pgsql-hackers for comment ] > > Helge Bahmann <bahmann@math.tu-freiberg.de> writes: > > On Tue, 31 Jul 2001, Tom Lane wrote: > >> There is a more complete version of this capability in the Debian patch > >> set. I think we've been waiting for Oliver to pull it out and submit it > >> as a patch... > > > Ok found it; uses "peer" as a keyword instead of "ident" but basically > > does the same thing. I think you can discard my patch then. > > Well, we need to talk about that. I like your idea of making ident auth > "just work" on local connections better than Oliver's approach of > inventing a separate auth-type keyword. So some kind of merger of the > two patches seems attractive to me. But Oliver may feel that he has to > continue to support the "peer" keyword on Debian anyway, for backwards > compatibility. If so, do we want different ways of doing the same thing > on different distros, or should we just follow the Debian precedent to > keep things ugly-but-consistent? We could easily just accept peer as a synonym for ident for a few releases, because it fact our ident will become something that is used beyond the identd server. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
Bruce Momjian <pgman@candle.pha.pa.us> writes:
>> ... But Oliver may feel that he has to
>> continue to support the "peer" keyword on Debian anyway, for backwards
>> compatibility. If so, do we want different ways of doing the same thing
>> on different distros, or should we just follow the Debian precedent to
>> keep things ugly-but-consistent?
> We could easily just accept peer as a synonym for ident for a few
> releases,
Or let Oliver patch the Debian package to accept peer as a synonym for
ident. I don't see any real need to encourage the use of that keyword
by non-Debianers...
regards, tom lane
Re: [PATCHES] Allow IDENT authentication on local connections (Linux only)
From
"Oliver Elphick"
Date:
Tom Lane wrote: >[ redirected to pgsql-hackers for comment ] > >Helge Bahmann <bahmann@math.tu-freiberg.de> writes: >> OnTue, 31 Jul 2001, Tom Lane wrote: >>> There is a more complete version of this capability in the Debian patch >>> set. I think we've been waiting for Oliver to pull it out and submit it >>> as a patch... > >> Ok found it; uses "peer" asa keyword instead of "ident" but basically >> does the same thing. I think you can discard my patch then. > >Well, we needto talk about that. I like your idea of making ident auth >"just work" on local connections better than Oliver's approachof >inventing a separate auth-type keyword. So some kind of merger of the >two patches seems attractive to me. But Oliver may feel that he has to >continue to support the "peer" keyword on Debian anyway, for backwards >compatibility. If so, do we want different ways of doing the same thing >on different distros, or should we just followthe Debian precedent to >keep things ugly-but-consistent? This change has only been made in the unstable release; so I don't mind if peer and ident are folded together. Anyone running unstable knows the world may turn upside down beneath him! So if you have a patch to do that, go ahead. -- Oliver Elphick Oliver.Elphick@lfix.co.uk Isle of Wight http://www.lfix.co.uk/oliver PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47 GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C ======================================== "Have not I commanded thee? Be strong and of a good courage; be not afraid,neither be thou dismayed; for the LORD thy God is with thee whithersoever thou goest." Joshua 1:9
Re: Re: [PATCHES] Allow IDENT authentication on local connections (Linux only)
From
Bruce Momjian
Date:
Can you send over your version for review. We can edit the 'peer' part. > Tom Lane wrote: > >[ redirected to pgsql-hackers for comment ] > > > >Helge Bahmann <bahmann@math.tu-freiberg.de> writes: > >> On Tue, 31 Jul 2001, Tom Lane wrote: > >>> There is a more complete version of this capability in the Debian patch > >>> set. I think we've been waiting for Oliver to pull it out and submit it > >>> as a patch... > > > >> Ok found it; uses "peer" as a keyword instead of "ident" but basically > >> does the same thing. I think you can discard my patch then. > > > >Well, we need to talk about that. I like your idea of making ident auth > >"just work" on local connections better than Oliver's approach of > >inventing a separate auth-type keyword. So some kind of merger of the > >two patches seems attractive to me. But Oliver may feel that he has to > >continue to support the "peer" keyword on Debian anyway, for backwards > >compatibility. If so, do we want different ways of doing the same thing > >on different distros, or should we just follow the Debian precedent to > >keep things ugly-but-consistent? > > This change has only been made in the unstable release; so I don't mind > if peer and ident are folded together. Anyone running unstable knows > the world may turn upside down beneath him! > > So if you have a patch to do that, go ahead. > > -- > Oliver Elphick Oliver.Elphick@lfix.co.uk > Isle of Wight http://www.lfix.co.uk/oliver > PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47 > GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C > ======================================== > "Have not I commanded thee? Be strong and of a good > courage; be not afraid, neither be thou dismayed; for > the LORD thy God is with thee whithersoever thou > goest." Joshua 1:9 > > > > ---------------------------(end of broadcast)--------------------------- > TIP 4: Don't 'kill -9' the postmaster > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
BTW, while digging through my mail archives I discovered that Oliver
*did* already extract his "peer" auth patch and submit it as a proposed
patch --- see the pghackers archives for 3-May-2001. At the time I
think we were concerned about portability issues, but as long as it's
appropriately autoconf'd and documented, I see no real objection to
supporting SO_PEERCRED authentication.
I do still like Helge's API (use "ident") better than adding another
auth keyword, though.
regards, tom lane
> BTW, while digging through my mail archives I discovered that Oliver > *did* already extract his "peer" auth patch and submit it as a proposed > patch --- see the pghackers archives for 3-May-2001. At the time I > think we were concerned about portability issues, but as long as it's > appropriately autoconf'd and documented, I see no real objection to > supporting SO_PEERCRED authentication. > > I do still like Helge's API (use "ident") better than adding another > auth keyword, though. There is a Solaris API someone submitted a a month ago that was sort of rejected too. I will have to dig that one up. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
> BTW, while digging through my mail archives I discovered that Oliver > *did* already extract his "peer" auth patch and submit it as a proposed > patch --- see the pghackers archives for 3-May-2001. At the time I > think we were concerned about portability issues, but as long as it's > appropriately autoconf'd and documented, I see no real objection to > supporting SO_PEERCRED authentication. > > I do still like Helge's API (use "ident") better than adding another > auth keyword, though. Can someone find the Solaris patch submitted a few months ago that did a similar thing? I can't seem to find it. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Can someone find the Solaris patch submitted a few months ago that did a
> similar thing? I can't seem to find it.
I couldn't find one either. I found a couple of unsupported assertions
that Solaris and *BSD had SO_PEERCRED, so the Linux patch might work
for them. We'll find out soon enough, I suppose.
regards, tom lane
Re: Re: [PATCHES] Allow IDENT authentication on local connections (Linux only)
From
Bruce Momjian
Date:
> Bruce Momjian <pgman@candle.pha.pa.us> writes: > > Can someone find the Solaris patch submitted a few months ago that did a > > similar thing? I can't seem to find it. > > I couldn't find one either. I found a couple of unsupported assertions > that Solaris and *BSD had SO_PEERCRED, so the Linux patch might work > for them. We'll find out soon enough, I suppose. Not here on BSD/OS. I know I saw a Solaris patch that did exactly this and I questioned it because it was only for Solaris. Now that I research and I see different OS's doing this different ways, and I have mucked up hba.c already, it seemed like a good patch. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Not here on BSD/OS. I know I saw a Solaris patch that did exactly this
> and I questioned it because it was only for Solaris. Now that I
> research and I see different OS's doing this different ways, and I have
> mucked up hba.c already, it seemed like a good patch.
Well, if someone can come up with a way to do the same thing on other
platforms, we can easily fold it in.
Now that I think about it, it's silly to #ifdef SO_PEERCRED in three
places. We can reduce that to one place: make ident_unix always exist,
and have it do the test for supported-or-not:
#ifdef SO_PEERCRED do it the Linux way#else report error "IDENT not supported on local connections"#endif
Then adding variants for other platforms is just a matter of more ifdefs
in the one place. I'll take care of doing this in a little bit...
BTW, a question for Linuxers: Oliver's older patch did
setsockopt(SO_PASSCRED) before getsockopt(SO_PEERCRED), whereas Helge's
version did not. I included the PASSCRED step in what I committed,
because the Linux docs I had at hand implied it was needed. But
evidently it worked without it for Helge. Is there some variation among
Linux versions as to whether PASSCRED is enabled by default?
regards, tom lane
Re: [PATCHES] Allow IDENT authentication on local connections (Linux only)
From
Peter Eisentraut
Date:
Tom Lane writes: > Well, we need to talk about that. I like your idea of making ident auth > "just work" on local connections better than Oliver's approach of > inventing a separate auth-type keyword. This is exactly what I would not like to see. "ident" defines a specific protocol, with an ident server. ident over something not TCP/IP doesn't make sense, it could confuse admins. Just because it works similar doesn't mean it is the same. In particular, the security issues are completely different. -- Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
Peter Eisentraut <peter_e@gmx.net> writes:
>> Well, we need to talk about that. I like your idea of making ident auth
>> "just work" on local connections better than Oliver's approach of
>> inventing a separate auth-type keyword.
> This is exactly what I would not like to see. "ident" defines a specific
> protocol, with an ident server. ident over something not TCP/IP doesn't
> make sense, it could confuse admins. Just because it works similar
> doesn't mean it is the same. In particular, the security issues are
> completely different.
Well, ISTM this is a documentation issue. We've already committed the
patch using "ident" as the keyword, so I'd prefer to leave it that way
and improve the docs as necessary.
regards, tom lane
PS: welcome back! Hope you had a pleasant vacation.
Re: Re: [PATCHES] Allow IDENT authentication on local connections (Linux only)
From
Bruce Momjian
Date:
> Tom Lane writes: > > > Well, we need to talk about that. I like your idea of making ident auth > > "just work" on local connections better than Oliver's approach of > > inventing a separate auth-type keyword. > > This is exactly what I would not like to see. "ident" defines a specific > protocol, with an ident server. ident over something not TCP/IP doesn't > make sense, it could confuse admins. Just because it works similar > doesn't mean it is the same. In particular, the security issues are > completely different. Peter has a point here. The only way to save the 'ident' keyword is to make it mean 'auto-identify' rather than identd. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
"Oliver Elphick" <olly@lfix.co.uk> writes:
> This change has only been made in the unstable release; so I don't mind
> if peer and ident are folded together. Anyone running unstable knows
> the world may turn upside down beneath him!
> So if you have a patch to do that, go ahead.
Sounds great. Helge, the main things your patch was missing were
autoconf support and documentation fixes. Do you want to add those
(possibly stealing liberally from the Debian patches) and resubmit?
BTW, Bruce has recently committed some wholesale changes in hba.c, so a
patch against 7.1.2 likely won't apply cleanly. If you could do your
patch as a diff against CVS tip, it'd ease applying it.
regards, tom lane