Re: Allow peer/ident to fall back to md5?
| От | Tom Lane |
|---|---|
| Тема | Re: Allow peer/ident to fall back to md5? |
| Дата | |
| Msg-id | 26114.1414550715@sss.pgh.pa.us обсуждение |
| Ответ на | Allow peer/ident to fall back to md5? (Craig Ringer <craig@2ndquadrant.com>) |
| Ответы |
Re: Allow peer/ident to fall back to md5?
|
| Список | pgsql-hackers |
Craig Ringer <craig@2ndquadrant.com> writes:
> At pgconf-eu �lvaro and I were discussing the idea of allowing 'peer'
> and 'ident' authentication to fall back to md5 if the peer/ident check
> failed.
I think it would be acceptable to define *new* auth modes that work
that way. I'm violently against redefining the meaning of existing
pg_hba.conf entries like this: it's not terribly hard to imagine
cases where it'd be a security problem, and even if you claim it isn't,
people will get bent out of shape if they think you're poking holes
in their oh-so-carefully-chosen authentication arrangements.
> If anyone's concerned about that I think it'd be reasonable to
> add an option in pg_hba.conf to allow 'ident' and 'peer' to be qualified
> with a no_md5_fallback mode.
You've got that exactly backwards.
regards, tom lane
В списке pgsql-hackers по дате отправления: