Hello everyone,

I’d like to submit the attached patch for feedback from the PostgreSQL 
community and potential future inclusion in the codebase. The patch adds a new 
parameter to the RADIUS authentication method named “radiustimeout”, allowing 
the database administrator to configure the timeout in seconds to wait for 
responses from a configured RADIUS server. Until now, this has been hardcoded 
to three seconds by the RADIUS_TIMEOUT define in auth.c. While this is usually 
sufficient for typical RADIUS server configurations, there are some more 
unusual configurations where a higher timeout is required. Examples include:
 - Authenticating against a RADIUS server over a high latency link
 - Authenticating against a RADIUS server that is performing additional 
out-of-band authentication

The latter case is applicable to a server I admin and spurred the development 
of this patch. We implemented multi-factor authentication for user access to a 
sensitive database via a RADIUS server implementation which performs the 
standard username & password verification, and if it succeeds, subsequently 
performs a second factor of authentication via a configured mobile app. The 
RADIUS response confirming successful authentication is only returned after 
both authentication factors have completed. In our deployment, a timeout of 60 
seconds seems to work well, but certainly three seconds is not at all workable.

Thanks in advance for any and all feedback.

Kind regards,

Attachment: radiustimeout.patch
Description: radiustimeout.patch

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to