Re: Logging of PAM Authentication Failure
| От | David Fetter |
|---|---|
| Тема | Re: Logging of PAM Authentication Failure |
| Дата | |
| Msg-id | 20130528071702.GE12725@fetter.org обсуждение исходный текст |
| Ответ на | Re: Logging of PAM Authentication Failure (Craig Ringer <craig@2ndquadrant.com>) |
| Список | pgsql-hackers |
On Tue, May 28, 2013 at 01:32:53PM +0800, Craig Ringer wrote: > On 05/11/2013 03:25 AM, Robert Haas wrote: > > Not really. We could potentially fix it by extending the wire > > protocol to allow the server to respond to the client's startup packet > > with a further challenge, and extend libpq to report that challenge > > back to the user and allow sending a response. But that would break > > on-the-wire compatibility, which we haven't done in a good 10 years, > > and certainly wouldn't be worthwhile just for this. > We were just talking about "things we'd like to do in wire protocol 4". > > Allowing multi-stage authentication has come up repeatedly and should > perhaps go on that list. The most obvious case being "ident auth failed, > demand md5". +1 The configuration would need to be thought though, as no fixed ordering could cover all cases. Maybe lines like local all postgres peer,md5 in pg_hba.conf would be the way to do this, where the list gets evaluated in the order it's read. Cheers, David. -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
В списке pgsql-hackers по дате отправления: