On Sat, 25 Aug 2001, Tom Lane wrote:
> "Dominic J. Eidson" <[EMAIL PROTECTED]> writes:
> >> Could we change the PAM code so that it tries to run the PAM auth cycle
> >> immediately on receipt of a connection request? If it gets a callback
> >> for a password, it abandons the PAM conversation, sends off a password
> >> request packet, and then tries again when the password comes back.
>
> > I am attempting to do this in a way that's relatively elegant, and the
> > code should get sent to -patches tomorrow sometime , after I've had time
> > to do some testing.
>
> I think that the main objection to the original form of the PAM patch
> was that it would lock up the postmaster until the client responded.
> However, that is *not* a concern any longer, since the current code
> forks first and authenticates after. Accordingly, you shouldn't be
> complexifying the PAM code to avoid waits.
The complexity comes from getting PAM to only send a password request to
the frontend if the PAM authentication needs a password, and not
otherwise. As I'd mentioned to Bruce before, I think PAM authentication
should be treated like password authentication - if there's a potential
that a password might be required, request a password, whether it's needed
or not. But PeterE asked that it only request a password if a password is
needed, so I'm fighting to get it to do exactly that.
(I already knew auth is done in the backend, and therefor can be blocking :)
--
Dominic J. Eidson
"Baruk Khazad! Khazad ai-menu!" - Gimli
-------------------------------------------------------------------------------
http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/
---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]
