Обсуждение: Add radiustimeout parameter for RADIUS HBA
Hello everyone, I’d like to submit the attached patch for feedback from the PostgreSQL community and potential future inclusion in the codebase.The patch adds a new parameter to the RADIUS authentication method named “radiustimeout”, allowing the databaseadministrator to configure the timeout in seconds to wait for responses from a configured RADIUS server. Until now,this has been hardcoded to three seconds by the RADIUS_TIMEOUT define in auth.c. While this is usually sufficient fortypical RADIUS server configurations, there are some more unusual configurations where a higher timeout is required. Examplesinclude: - Authenticating against a RADIUS server over a high latency link - Authenticating against a RADIUS server that is performing additional out-of-band authentication The latter case is applicable to a server I admin and spurred the development of this patch. We implemented multi-factorauthentication for user access to a sensitive database via a RADIUS server implementation which performs thestandard username & password verification, and if it succeeds, subsequently performs a second factor of authenticationvia a configured mobile app. The RADIUS response confirming successful authentication is only returned afterboth authentication factors have completed. In our deployment, a timeout of 60 seconds seems to work well, but certainlythree seconds is not at all workable. Thanks in advance for any and all feedback. Kind regards, -SDL
Вложения
On Mon, Oct 24, 2016 at 2:03 PM, Samuel D. Leslie <SDL@nexiom.net> wrote:
Hello everyone,
I’d like to submit the attached patch for feedback from the PostgreSQL community and potential future inclusion in the codebase. The patch adds a new parameter to the RADIUS authentication method named “radiustimeout”, allowing the database administrator to configure the timeout in seconds to wait for responses from a configured RADIUS server. Until now, this has been hardcoded to three seconds by the RADIUS_TIMEOUT define in auth.c. While this is usually sufficient for typical RADIUS server configurations, there are some more unusual configurations where a higher timeout is required. Examples include:
- Authenticating against a RADIUS server over a high latency link
- Authenticating against a RADIUS server that is performing additional out-of-band authentication
The latter case is applicable to a server I admin and spurred the development of this patch. We implemented multi-factor authentication for user access to a sensitive database via a RADIUS server implementation which performs the standard username & password verification, and if it succeeds, subsequently performs a second factor of authentication via a configured mobile app. The RADIUS response confirming successful authentication is only returned after both authentication factors have completed. In our deployment, a timeout of 60 seconds seems to work well, but certainly three seconds is not at all workable.
Thanks in advance for any and all feedback.
I reviewed and tested the patch. It works as expected.
Following are my observations during the test.
1. In case if the radiustimeout is more than authentication_timeout the
client connection is stopped only when the radiustimeout is occurred.
Do we need add the CHECK_FOR_INTERRUPTS() call or add this
behavior information in the docs?
2. When the Postgresql Backend is waiting for a response from
Radius server, in case if the client disconnects, still backend waits
for the response from RADIUS server and then it closes.
I feel the second case is rare, may not be a problem.
Regards,
Hari Babu
Fujitsu Australia