On Mon, Oct 24, 2016 at 2:03 PM, Samuel D. Leslie <s...@nexiom.net> wrote:
> Hello everyone, > > I’d like to submit the attached patch for feedback from the PostgreSQL > community and potential future inclusion in the codebase. The patch adds a > new parameter to the RADIUS authentication method named “radiustimeout”, > allowing the database administrator to configure the timeout in seconds to > wait for responses from a configured RADIUS server. Until now, this has > been hardcoded to three seconds by the RADIUS_TIMEOUT define in auth.c. > While this is usually sufficient for typical RADIUS server configurations, > there are some more unusual configurations where a higher timeout is > required. Examples include: > - Authenticating against a RADIUS server over a high latency link > - Authenticating against a RADIUS server that is performing additional > out-of-band authentication > > The latter case is applicable to a server I admin and spurred the > development of this patch. We implemented multi-factor authentication for > user access to a sensitive database via a RADIUS server implementation > which performs the standard username & password verification, and if it > succeeds, subsequently performs a second factor of authentication via a > configured mobile app. The RADIUS response confirming successful > authentication is only returned after both authentication factors have > completed. In our deployment, a timeout of 60 seconds seems to work well, > but certainly three seconds is not at all workable. > > Thanks in advance for any and all feedback. > I reviewed and tested the patch. It works as expected. Following are my observations during the test. 1. In case if the radiustimeout is more than authentication_timeout the client connection is stopped only when the radiustimeout is occurred. Do we need add the CHECK_FOR_INTERRUPTS() call or add this behavior information in the docs? 2. When the Postgresql Backend is waiting for a response from Radius server, in case if the client disconnects, still backend waits for the response from RADIUS server and then it closes. I feel the second case is rare, may not be a problem. Regards, Hari Babu Fujitsu Australia
