Thread: Re: [PATCHES] Patch to include PAM support...
On Wed, 13 Jun 2001, Tom Lane wrote:
> Peter Eisentraut <peter_e@gmx.net> writes:
> >> Basically, we have some people who want it. Now we need to hear from
> >> people who don't want it. I have a "no" from Tom and a "yes" from
> >> "Peter E" (and the author).
>
> > Not in the current form.
>
> I think Peter's main objection was that it'd always prompt for a
> password whether needed or not.
Okay, after many months of lurking, I've finally set aside some time this
last week to actually finish up the code. (It's been mostly-merged/working
since about a week after Tom sent the mail I'm replying to - but then my
employer decided it would be good for us (read: me) to finish working on a
project which has consumed 99% of any programming motivation I could
muster.
> Could we change the PAM code so that it tries to run the PAM auth cycle
> immediately on receipt of a connection request? If it gets a callback
> for a password, it abandons the PAM conversation, sends off a password
> request packet, and then tries again when the password comes back.
I am attempting to do this in a way that's relatively elegant, and the
code should get sent to -patches tomorrow sometime , after I've had time
to do some testing.
--
Dominic J. Eidson
"Baruk Khazad! Khazad ai-menu!" - Gimli
-------------------------------------------------------------------------------
http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/
"Dominic J. Eidson" <sauron@the-infinite.org> writes:
>> Could we change the PAM code so that it tries to run the PAM auth cycle
>> immediately on receipt of a connection request? If it gets a callback
>> for a password, it abandons the PAM conversation, sends off a password
>> request packet, and then tries again when the password comes back.
> I am attempting to do this in a way that's relatively elegant, and the
> code should get sent to -patches tomorrow sometime , after I've had time
> to do some testing.
I think that the main objection to the original form of the PAM patch
was that it would lock up the postmaster until the client responded.
However, that is *not* a concern any longer, since the current code
forks first and authenticates after. Accordingly, you shouldn't be
complexifying the PAM code to avoid waits.
regards, tom lane
On Sat, 25 Aug 2001, Tom Lane wrote:
> "Dominic J. Eidson" <sauron@the-infinite.org> writes:
> >> Could we change the PAM code so that it tries to run the PAM auth cycle
> >> immediately on receipt of a connection request? If it gets a callback
> >> for a password, it abandons the PAM conversation, sends off a password
> >> request packet, and then tries again when the password comes back.
>
> > I am attempting to do this in a way that's relatively elegant, and the
> > code should get sent to -patches tomorrow sometime , after I've had time
> > to do some testing.
>
> I think that the main objection to the original form of the PAM patch
> was that it would lock up the postmaster until the client responded.
> However, that is *not* a concern any longer, since the current code
> forks first and authenticates after. Accordingly, you shouldn't be
> complexifying the PAM code to avoid waits.
The complexity comes from getting PAM to only send a password request to
the frontend if the PAM authentication needs a password, and not
otherwise. As I'd mentioned to Bruce before, I think PAM authentication
should be treated like password authentication - if there's a potential
that a password might be required, request a password, whether it's needed
or not. But PeterE asked that it only request a password if a password is
needed, so I'm fighting to get it to do exactly that.
(I already knew auth is done in the backend, and therefor can be blocking :)
--
Dominic J. Eidson
"Baruk Khazad! Khazad ai-menu!" - Gimli
-------------------------------------------------------------------------------
http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/