Re: Using both ident and password in pg_hba.conf

From: "D'Arcy J(dot)M(dot) Cain" <darcy(at)druid(dot)net>
To: Scott Mead <scottm(at)openscg(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL General <pgsql-general(at)postgresql(dot)org>
Subject: Re: Using both ident and password in pg_hba.conf
Date: 2016-05-10 02:43:53
Message-ID: 20160509224353.6b3de40e@imp
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Mon, 9 May 2016 17:50:52 -0400
Scott Mead <scottm(at)openscg(dot)com> wrote:
> > was thinking of something like this:
> >
> > host all joe(at)nobody 192.168.151.75/32 password
> > host all all 192.168.151.75/32 ident
> >
> > The "all(at)nobody" field is meant to specify that the remote user is
> > nobody but that they are connecting as user joe. You would be able
> > to use "all" as well. You don't even need to do an ident check
> > unless the auth method is "trust" which would be silly anyway. In
> > fact "password" is the only method that even makes any sense at all.
>
> So, at a high-level, you want:
>
> - Users deploying php scripts in apache to require a password ( btw
> -- use md5, not password)

I was using "password" in the generic sense.

> - Users running php scripts from their shell accounts to connect with
> no password to the database
>
> Is that correct?

Absolutely not. I am allowing ident authentication for users because I
trust the client machine but require password (md5, whatever) when they
want to connect to their database but I can't confirm who they are.

> Why not just require that everyone use an (again: *md5*) to
> connect? It would be significantly more secure. Is their a
> requirement that shell account users be able to connect without
> providing a password?

They aren't actually shell account users. I have a shell machine too
but this is from the web server. If I require passwords then they have
to store them in their scripts. The scripts can be secured from other
users but not admins and since we don't otherwise know their raw
passwords I wouldn't like to expose them, even to us.

Of course PHP scripts have to run as nobody so I have no choice other
than to have them store passwords in various config.php files but PHP
users are used to that. I would like to fix that but that's a war for
another day.

--
D'Arcy J.M. Cain <darcy(at)druid(dot)net> | Democracy is three wolves
http://www.druid.net/darcy/ | and a sheep voting on
+1 416 788 2246 (DoD#0082) (eNTP) | what's for dinner.
IM: darcy(at)Vex(dot)Net, VoIP: sip:darcy(at)druid(dot)net

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message D'Arcy J.M. Cain 2016-05-10 02:46:55 Re: Using both ident and password in pg_hba.conf
Previous Message rverghese 2016-05-09 22:22:31 Inserting into a master table with partitions does not return rows affected.