>Our usual wording is "the PostgreSQL user account". Perhaps we should 
>be more explicit about the fact that membership of this Unix group is 
>needed on *OpenBSD*, since other current or future BSD forks could 
>vary. I see that the specific reason this is needed on this OpenBSD 
>5.8 box is so that it can fork/exec the setuid login_XXX binaries that 
>live under /usr/libexec/auth. 

The BSD Authentication framework currently only exists on OpenBSD. I've added 
some explicit documentation that this mechanism is currently only supported on 
OpenBSD and I've tried to be a bit more explicit about the auth group as 
suggested by Peter.

>auth_userokay is called with a type of "pg-auth". I noticed from 
>looking at man page and source of some other applications that the 
>convention is usually a hardcoded string like "auth-myserver", 
>"auth-sockd", "auth-ssh", "auth-doas", "auth-popa3d" etc. So perhaps 
>we should have "auth-postgresql" (or "auth-postgres" or "auth-pgsql") 
>here? And as Peter E already said, that string should probably be 
>documented: it looks a bit like it is useful for allowing the 
>available authentication styles to be restricted or defaulted 
>specifically for PostgreSQL in login.conf based on that string. 
>(Though when I tried to set that up, it seemed to ignore my 
>possibly-incorrectly-specified rule asking it to use "reject" so I may 
>have misunderstood.) 

This is correct, although so far I've only tested using the default login 
class. The attached patch includes some more explicit documentation about this 

>The style argument is hard coded as NULL, as I see is the case in some 
>other applications. From the man page: "If style is not NULL, it 
>specifies the desired style of authentication to be used. If it is 
>NULL then the default style for the user is used. In this case, name 
>may include the desired style by appending it to the user's name with 
>a single colon (‘:’) as a separator." I wonder if such 
>user-controllable styles are OK (though I guess would require username 
>mapping to strip them off if we do want that as a feature). I wonder 
>if it should be possible to provide the style argument that we pass to 
>auth_userokay explicitly in pg_hba.conf, so that the DBA could 
>explicitly say BSD auth with style=radius. 

I've so far only tested passwd authentication. I'd be interested to test some 
of the other authentication styles, I think this would be a useful feature.

Attachment: bsd_auth.patch
Description: Binary data

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to