On Thu, Nov 18, 2010 at 1:01 PM, Josh Berkus <[email protected]> wrote: > >> We use it. Do you have an alternative that doesn't lower security >> besides Kerberos? Anti-ident arguments are straw man arguments - "If >> you setup identd badly or don't trust remote root or your network, >> ident sucks as an authentication mechanism". > > Actually, you're trusting that nobody can add their own machine as a node on > your network. All someone has to do is plug their linux laptop into a > network cable in your office and they have free access to the database.
I think you need to give him a little more credit than that... From the description he gave, I wouldn't be surprised if the networks he's using ident on, he's got switch ports locked, limited server access, etc... His whole point was that in his locked down network, ident is *better* that giving everybody "yet another password" they have to manage, have users not mis-manage, and make sure users don't mis-use... So, yes, ident is only as secure as the *network and machines* it's used on. Passwords are only as secure as the users managing them, and the machines/filesystems containing .pgpass ;-) a. -- Aidan Van Dyk Create like a god, [email protected] command like a king, http://www.highrise.ca/ work like a slave. -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
