Re: Allow peer/ident to fall back to md5?

On 10/29/2014 02:52 AM, Craig Ringer wrote:
> On 10/29/2014 05:46 PM, Andres Freund wrote:
>> I like this one. But then I perhaps edited too many pam configuration
>> files.
>
> It seems good to me too. I haven't looked at how viable it is in
> implementation terms.
>
> I think we could only properly support 'continue' on peer/ident in the
> v3 protocol. With other protos we need to negotiate with the client
> before we determine that we can't authenticate them and we send them an
> auth failed message.
>
> I guess we could just send a different auth request to the client
> instead of an auth failed message, but it might confuse clients that
> aren't expecting it, and it'd make it harder to report the original auth
> failure if we carry on to try something else.
>
> The advantage of doing it for peer/ident is that there's no conversation
> with the client required, so the client never needs to know that we
> considered peer/ident before falling back to something else.

I don't see a problem with having a "continue" directive, and
documenting that it only works with peer and ident. Maybe someday
(protocol bump) we can have a way to make other methods continue, and
then nobody will need to change their files to support the new way.

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com