On Thu, 18 Mar 2004, Josh Berkus wrote:
> Jeremy handed me an interesting feature proposal at last night's SFPUG
> meeting.
>
> PG authentication methods ought to have drop-downs to other authentication
> methods, in the same manner as SSH and PAM.
>
> The idea would be this, if you had the following in your pg_hba.conf:
>
> somedb jeremy 23.165.22.198 255.255.255.255 kerberos
> somedb jeremy 23.165.22.198 255.255.255.255 md5
>
> Then, when jeremy tries to connect to somedb from 23.165.22.198, the system
> would first try kerberos authentication, and if that fails offer an md5
> password login. Only when the system ran out of applicable lines in
> pg_hba.conf would the user be rejected.
The case I ran into this morning where such an optional behavior would've
been handy is when I want to allow the "postgres" OS user to connect as Pg
user "postgres" without a password via ident checking, but allow anyone to
connect as Pg user "postgres" with a password, e.g.:
local all postgres ident sameuser
local all all md5
host all all 0.0.0.0 0.0.0.0 md5
What that makes easy is cron-driven vacuumdb or other maintenance calls
(where I can't give a password), or letting the root user su to postgres
and connect without needing to know the password, while still allowing
others to connect with a password.
Is there some other way to do what I'm looking for here without the
authentication method fallthrough Josh proposes?
Jon