, Aidan Cully <aidan@kublai.com>
From: Henry B. Hotz <hotz@jpl.nasa.gov>
List: netbsd-users
Date: 04/02/2002 12:08:15
At 8:17 PM -0500 3/27/02, Jim Wise wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On Wed, 27 Mar 2002, Aidan Cully wrote:
>
>>I take some issue with that... ident can be very useful in limited
>>situations. If you've got a multi-user shell service, and don't want
>>to ask your users for passwords when they connect over TCP to another
>>service you've got, but this service provides different things to
>>different users, ident is not a bad way to go. INN's nnrpd can
>>resolve users over ident because of just this situation.
>>
>>ident is useless once you leave a trusted area.
>
>Which is to say that you translate a problem of imitating a trusted uer
>at a trusted IP to a problem of imitating jut the trusted IP? If that's
>your goal, use .rhosts...
One of the easy ways to configure PostgreSQL is to use identd to
identify the user when the request comes from the same machine as the
server is running on. All the other ways of authenticating a user
connection are a real pain in comparison. This is a standard
application, compiled as provided.
I've always considered that if I couldn't trust the machine I was
running on then I was pretty much hosed anyway. CFS doesn't prevent
root from seeing your data files, nor Kerberos prevent root from
impersonating you.
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu