| From: | Karsten Hilbert <Karsten(dot)Hilbert(at)gmx(dot)net> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Postgres Pain Points: 1 pg_hba conf |
| Date: | 2016-08-11 19:00:48 |
| Message-ID: | 20160811190048.GC3623@hermes.hilbert.loc |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Thu, Aug 11, 2016 at 11:04:37AM -0600, support-tiger wrote:
> #1) pg_hba conf
> Out of the box the md5 setting blocks access. Most "advice" say change to
> "all all trust" and indeed that works. But that seems a big security issue.
> Specifying a postgres role, password, and peer does not seem to work. And
> this approach is problematic if there are many roles or even dynamically
> created roles.
>
> Or is pb_hba conf set up for web sockets and we should be using sockets?
>
> For general use, it seems we should not have to modify this file - it should
> "just work" with good security.
While I agree this sounds desirable I don't think it is
possible (depending on the definition of "possible").
Would you like to offer a suggestion as to what pg_hba.conf
should be configured as by default ? (Note that I am not
soliciting a suggestion on behalf of the PostgreSQL team.)
Methinks "deny-by-default" is Good Practice security-wise ?
Regards,
Karsten
--
GPG key ID E4071346 @ eu.pool.sks-keyservers.net
E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andreas Joseph Krogh | 2016-08-11 20:20:24 | Re: Postgres Pain Points 2 ruby / node language drivers |
| Previous Message | Andy Colson | 2016-08-11 18:31:12 | Re: pg_logical_slot_get_changes |