On Fri, Oct 21, 2011 at 3:04 PM, Olaf van der Spek <[email protected]> wrote: >> proprietary auth for windows does it too. I'd never heard a similar >> mechanism exist on unix/linux. > > http://kb.askmonty.org/en/socket_peercred-authentication-plugin
MariaDB 5.2.0? I was involved in that. Maybe I should go to serg's auth plugin talks one day... >> Inside the secure channel, you can still use whatever authentication >> method you prefer. > > My point is that even when the channel is encrypted, you should not > send plaintext passwords. I agree. But the custom of sending plaintext passwords originates in unix/PAM so I wasn't feeling quilty of that. Allowing them to be eavesdropped (no SSL) however is going too far. >> It seems with peercred you'd have: >> - no password needed at all when connecting from localhost >> - reuses your system username? > > Yes > >> drawbacks: >> - need non-standard extra parameters to drizzle client? (I assume you >> need some plugin, or could this be made to work by default? > > Nope, no client-side support necessary. Why? Are you assuming here that one connects via unix socket and not -h127.0.0.1? > Something is still missing. The authentication question appears to be > answered. What about the authorization question? That is a different question :-) As it is now once you are logged in, anyone is essentially root. Having played with this a while, it seems authorization in Drizzle must be completely separate from authentication. Any authorization plugin should only care about my username, and then give or refuse access based on that. Beyond that, I can see us creating a plugin that looks like what MySQL does, and then some more that I can't even think of. The regex authorization plugin is pretty clever idea already. henrik -- [email protected] +358-40-8211286 skype: henrik.ingo irc: hingo www.openlife.cc My LinkedIn profile: http://www.linkedin.com/profile/view?id=9522559 _______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp
