On 1/3/23 04:11, Thomas Munro wrote:
Here's a draft patch to tackle a couple of TODOs in the RADIUS code in auth.c.
Nice to see someone working on this! I know of one company which could have used the configurable timeout for radius because the 3 second timeout is too short for 2FA. I think they ended up using PAM or some other solution in the end, but I am not 100% sure.
[...] While adding the GUC I couldn't help wondering why RADIUS even needs a timeout separate from authentication_timeout; another way to go here would be to remove it completely, but that'd be a policy change (removing the 3 second timeout we always had). Thoughts?
It was some time since I last looked at the code but my impression was that the reason for having a separate timeout is that you can try the next server after the first one timed out (multiple radius servers are allowed). But I wonder if that really is a useful feature or if someone just was too clever or it just was an accidental feature.
Andreas