Re: The pg_hba.conf file

From: Bruno Wolff III <bruno(at)wolff(dot)to>
To: ghaverla(at)freenet(dot)edmonton(dot)ab(dot)ca
Cc: pgsql-novice(at)postgresql(dot)org
Subject: Re: The pg_hba.conf file
Date: 2002-12-19 06:37:51
Message-ID: 20021219063751.GA12612@wolff.to
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-novice

On Wed, Dec 18, 2002 at 22:38:59 -0700,
ghaverla(at)freenet(dot)edmonton(dot)ab(dot)ca wrote:
>
> 2 --------------------------------
> Next, authenication involving ident. From what I've been told by
> more security concious people than myself, that ident can not be
> trusted off of the local machine. And, I've seen some ident daemons

That depends on whether or not you trust the admistrator of the machine.
Under some circumstances it may make sense to trust ident on remote
machines.

> which apparently can be configured to lie. Which leads me to ask
> the question, is ident trustworthy for local connections? Certainly

Yes. If you can't trust the local machine, then you shouldn't be running
your postgres server on it. Note that ident for "local" (this doesn't
include connections to 127.0.0.1) connections does not depend on an ident
server.

> 3.1 ---------------------------------------------
> In the above local ... example, I suspect having "ident sameuser"
> as the authentication allowing access to the database "sameuser"
> restricts completely, but the "all" wildcard for the user seems out
> of place. Something like:
> local sameuser sameuser ident sameuser
> seems to better describe the situation, that I only want these
> connections by UNIX UIDs to databases with the same name as
> the UNIX UID.

The 'all' in the users field indicates that all users can use the
database matching their username. If you only want some users to
be able to do this you can use a list or group there. Having
'sameuser' there wouldn't make much sense since the supplied user name is
also the same as the supplied user name.

> It's not unusual to see sample pg_hba.conf files, which have
> a
> host all all 0.0.0.0 0.0.0.0 reject
> line at the end. Should a person have similar lines for hostssl
> and local connections? I.e.:

Well the default will be to reject connections, so they aren't really needed
except to prevent accidents. However 'host' will match 'hostssl' connections
(but not vice versa), so you don't need hostssl in addition to host if you
do that. 'local' connections are different and need a separate entry.

In response to

Responses

Browse pgsql-novice by date

  From Date Subject
Next Message Glenn 2002-12-19 09:08:17 pgsql vs odbc and speed: clarification required
Previous Message ghaverla 2002-12-19 05:38:59 The pg_hba.conf file