Bruce Momjian wrote:
>> > I think our current idea is to have people run local ident servers to
>> > handle this. We don't have any OS-specific stuff in pg_hba.conf and I
>> > am not sure if we want to add that complexity. What do others think?
>>
>> This is not any less "specific" than SSL or Kerberos. Note that opening a
>> TCP/IP socket already opens a theoretical hole to the world. Unix domain
>> is much safer.
>
>You can install SSL/Kerberos on any Unix, and many come pre-installed.
>You can't add unix-domain socket user authentication to any OS.
>
>I assume most OS's have 127.0.0.1 set as loopback so there shouldn't be
>a hole:
>
>127 127.0.0.1 UGRS 4352 lo0
>127.0.0.1 127.0.0.1 UH 4352 lo0
>
>However, the security issue may make it worthwhile. Which OS's support
>user authentication again, and can we test via configure? Maybe we can
>strip out the mention in the pg_hba.conf file if it is not supported on
>that OS.
The security issue is why I developed it. There were complaints from people
who did not want to have identd running at all.
I think the feature is available in Linux, Solaris and some BSD. It can be
tested for by whether SO_PEERCRED is defined in sys/socket.h.
I don't see the need to strip mention from the comments in pg_hba.conf. The
situation is no different from those systems which do not have Kerberos or
SSL available.
--
Oliver Elphick Oliver.Elphick@lfix.co.uk
Isle of Wight http://www.lfix.co.uk/oliver
PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C
========================================
"I waited patiently for the LORD; and he inclined unto
me, and heard my cry. He brought me up also out of an
horrible pit, out of the miry clay, and set my feet
upon a rock, and established my goings. And he hath
put a new song in my mouth, even praise unto our God.
Many shall see it, and fear, and shall trust in the
LORD." Psalms 40:1-3