Re: Patch to include PAM support...
От | Peter Eisentraut |
---|---|
Тема | Re: Patch to include PAM support... |
Дата | |
Msg-id | Pine.LNX.4.30.0106122000440.756-100000@peter.localdomain обсуждение исходный текст |
Ответ на | Re: Patch to include PAM support... ("Dominic J. Eidson" <sauron@the-infinite.org>) |
Список | pgsql-patches |
Dominic J. Eidson writes: > > if your PAM setup is that you require exactly one password from the user. > > But if the PAM setup does not require a password (Kerberos, rhosts > > modules?) it would involve a useless exchange (and possibly prompt) for a > > This works fine - if it doesn't require a password, it won't get to the > "password prompt" step inside the conversation function, and ends up just > returning "success". In the patch I'm looking at, the conversation function doesn't do any actual "prompting", it looks at the password that has previously been obtained by way of the password packet exchange. If no password is required, the password is never looked at, but still obtained. That by itself causes psql to print a password prompt. Perhaps this could work: In the switch in be_recvauth(), you call the pam_authenticate() and friends and if the sequence passes you report back "OK". In the conversation function -- if it gets called -- send a password packet and store the answer packet. You might have to play some tricks here to obtain the answer packet, though. > In all of the other remote authentication pieces that I have worked > with/used (radius, tacacs, etc) - if your password is in need to be > changed and/or expired - your authentication just fails. Alright. -- Peter Eisentraut peter_e@gmx.net http://funkturm.homeip.net/~peter
В списке pgsql-patches по дате отправления: