Re: [Pgsqlrpms-hackers] ident auth vs. encrypting ident daemons

From: Olivier Thauvin <olivier(dot)thauvin(at)aerov(dot)jussieu(dot)fr>
To: pgsqlrpms-hackers(at)pgfoundry(dot)org
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: [Pgsqlrpms-hackers] ident auth vs. encrypting ident daemons
Date: 2006-06-16 00:59:30
Message-ID: 200606160259.36192.olivier.thauvin@aerov.jussieu.fr
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Le jeudi 15 juin 2006 22:29, Tom Lane a écrit :
> Currently, the Red Hat and (I believe) PGDG RPMs set up ident
> authentication as the default, by running initdb with
> --auth='ident sameuser'
> I think several other binary distros do the same.

Just to notice Mandriva still provide postgresql setup by default with a trust
authentication and only local connections are allow. In fact the initdb is
run at first 'service postgresql start', we assume the sys admin will setup
it.

But If you (postgresql team) have any other preference (this can help for new
user to have the software setup like all documentation said), just warn me, I
have no problem for such change (I am the maintainer of postgresql for
mandriva, so I have the control for this).

> It was pointed out to
> me recently that this does not work real well anymore on Fedora. It's
> fine on Unix-socket connections but fails entirely on localhost TCP,
> because (1) the TCP ident daemon isn't started by default (even assuming
> you installed it), and (2) if it is running, the default arguments for
> it include "-E" which causes it to return an encrypted version of the
> username. So authentication will always fail.

ident is a really old protocol, it is nice to avoid to user to enter their
password for locales connections, but it is completly untrusted from a remote
computer. Most of admin will simply said you running identd is only a way to
have security issues, and it is often filtered, hopefully nobody filter it
loopback interface :)

> * I'm inclined to make the Red Hat RPMs default to ident on socket and
> md5 on localhost ... any comments about that?
>

Nothing really except I agree (as user and as packager), and again, if you
have a preference about the default method distribution should provide, just
said, I'll done it for mandriva in my case.

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Qingqing Zhou 2006-06-16 01:34:12 Re: Test request for Stats collector performance improvement
Previous Message Jaime Casanova 2006-06-16 00:54:09 problems with the anoncvs?