Actually, one more thing - the patch should probably update the docs too, because client-auth.sgml currently says this in the "auth-pam" section:

    PAM is used only to validate user name/password pairs.

I believe that's no longer true, because the patch adds PAM_RHOST to the user/password fields.

Regarding the other PAM_* fields, none of them strikes me as very useful for our use case.

In a broader sense, I think this patch is quite desirable, despite being rather simple (which is good). I certainly don't agree with suggestions that we can already do things like this through pg_hba.conf. If we're providing PAM authentication, let's make it as complete/useful as possible. In some cases modifying PAM may not be feasible - e.g. some management systems rely on PAM as much as possible, and doing changes in other ways is a major hassle.


Tomas Vondra        
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

Sent via pgsql-hackers mailing list (
To make changes to your subscription:

Reply via email to