On Fri, Mar 18, 2016 at 2:58 AM, Marisa Emerson <m...@insec.sh> wrote:
>>Our usual wording is "the PostgreSQL user account". Perhaps we should
>>be more explicit about the fact that membership of this Unix group is
>>needed on *OpenBSD*, since other current or future BSD forks could
>>vary. I see that the specific reason this is needed on this OpenBSD
>>5.8 box is so that it can fork/exec the setuid login_XXX binaries that
>>live under /usr/libexec/auth.
> The BSD Authentication framework currently only exists on OpenBSD. I've added 
> some explicit documentation that this mechanism is currently only supported 
> on OpenBSD and I've tried to be a bit more explicit about the auth group as 
> suggested by Peter.
>>auth_userokay is called with a type of "pg-auth". I noticed from
>>looking at man page and source of some other applications that the
>>convention is usually a hardcoded string like "auth-myserver",
>>"auth-sockd", "auth-ssh", "auth-doas", "auth-popa3d" etc. So perhaps
>>we should have "auth-postgresql" (or "auth-postgres" or "auth-pgsql")
>>here? And as Peter E already said, that string should probably be
>>documented: it looks a bit like it is useful for allowing the
>>available authentication styles to be restricted or defaulted
>>specifically for PostgreSQL in login.conf based on that string.
>>(Though when I tried to set that up, it seemed to ignore my
>>possibly-incorrectly-specified rule asking it to use "reject" so I may
>>have misunderstood.)
> This is correct, although so far I've only tested using the default login 
> class. The attached patch includes some more explicit documentation about 
> this string.

You used one name in the docs and another in the code:

+    BSD Authentication on PostgreSQL uses the <literal>auth-postgres</literal>
+    login type and authenticates with the <literal>postgres</literal> login

+ retval = auth_userokay(user, NULL, "auth-postgresql", passwd);

>>The style argument is hard coded as NULL, as I see is the case in some
>>other applications. From the man page: "If style is not NULL, it
>>specifies the desired style of authentication to be used. If it is
>>NULL then the default style for the user is used. In this case, name
>>may include the desired style by appending it to the user's name with
>>a single colon (‘:’) as a separator." I wonder if such
>>user-controllable styles are OK (though I guess would require username
>>mapping to strip them off if we do want that as a feature). I wonder
>>if it should be possible to provide the style argument that we pass to
>>auth_userokay explicitly in pg_hba.conf, so that the DBA could
>>explicitly say BSD auth with style=radius.
> I've so far only tested passwd authentication. I'd be interested to test some 
> of the other authentication styles, I think this would be a useful feature.


It looks like this is still very useful with the default, and maybe
adding support for specifying the auth style in pg_hba.conf could be a
follow-up patch if anyone is interested in writing that.

Except for the string mismatch above I would personally say this is
ready for a committer to look at.  Since Stas Kelvich also signed up
as a reviewer I'll give it a few days to see if he has feedback before
updating the commitfest status.

Thomas Munro

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to