| From: | Andres Freund <andres(at)2ndquadrant(dot)com> |
|---|---|
| To: | Craig Ringer <craig(at)2ndquadrant(dot)com> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: HINT: pg_hba.conf changed since last config reload |
| Date: | 2014-08-10 12:07:13 |
| Message-ID: | 20140810120713.GA18647@alap3.anarazel.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
On 2014-08-10 19:48:29 +0800, Craig Ringer wrote:
> I just had an idea I wanted to run by you all before turning it into a
> patch.
>
> People seem to get confused when they get auth errors because they
> changed pg_hba.conf but didn't reload.
>
> Should we emit a HINT alongside the main auth error in that case?
>
> Given the amount of confusion that I see around pg_hba.conf from new
> users, I figure anything that makes it less confusing might be a good
> thing if there aren't other consequences.
I think we could/would only emit that to the server log because of
security concerns. It very well might be interesting for an attacker to
know that an outdated hba.conf is still being used... Would that still
provide enough benefits?
Greetings,
Andres Freund
--
Andres Freund http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | MauMau | 2014-08-10 12:31:18 | Re: Improvement of versioning on Windows, take two |
| Previous Message | Craig Ringer | 2014-08-10 11:48:29 | HINT: pg_hba.conf changed since last config reload |