Thread: Kerberos and fe-auth...

I don't think it's any surprise that I'm hot on kerberos (updated docs
will come, one thing at a time), however I'm really really really
supper annoyed with the fact that I can't specify a way for a host to
optionally use krb5 or optionally use password authentication.  If
you've got kerberos compiled in, you're stuck using kerberos.  Anyone
have any suggetions or preferred ways of handling libpq so that the
fe-auth can fail back to password if krb5 fail?  Thanks.  -sc

-- 
Sean Chittenden

Sean Chittenden writes:

> I don't think it's any surprise that I'm hot on kerberos (updated docs
> will come, one thing at a time), however I'm really really really
> supper annoyed with the fact that I can't specify a way for a host to
> optionally use krb5 or optionally use password authentication.

What???  Have you looked at pg_hba.conf recently?

-- 
Peter Eisentraut   peter_e@gmx.net

> > I don't think it's any surprise that I'm hot on kerberos (updated docs
> > will come, one thing at a time), however I'm really really really
> > supper annoyed with the fact that I can't specify a way for a host to
> > optionally use krb5 or optionally use password authentication.
> 
> What???  Have you looked at pg_hba.conf recently?

In pg_hba.conf:

host         all         0.0.0.0       0.0.0.0             krb5
host         all         0.0.0.0       0.0.0.0             password


And from the CLI:

> klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_80.1)
> psql -h db1 dbname user
psql: fe_sendauth: krb5 authentication failed

The only way I can do something about that is to reverse the order of
the above entries in hba.conf, however, if I do that, then I can't use
krb5.  One or the other, not both, and that's my problem...  thoughts?
-sc

-- 
Sean Chittenden