Re: Let people set host(no)ssl settings from initdb

On Wed, Jan 08, 2020 at 02:53:47AM +0000, tsunakawa(dot)takay(at)fujitsu(dot)com wrote:
> From: David Fetter <david(at)fetter(dot)org>
> > > But I see two problems with the proposed approach: (1) initdb
> > > doesn't support setting up SSL, so the only thing you can achieve
> > > here is to reject all TCP/IP connections, until you have set up SSL.
> >
> > I don't believe any special setup is needed to require TLS for the
> > connection, which is what this patch handles in a straightforward way.
>
> I think this feature can be useful because it's common to reject remote non-TLS connections. Eliminating the need to script for pg_hba.conf is welcome. Setting GUC parameters just after initdb is relatively easy, because we can simply add lines at the end of postgresql.conf. But pg_hba.conf is not because the first matching entry is effective.
>
> In terms of rejecting non-secure remote connections, should hostgssenc/hostnogssenc also be handled similarly?

Yes, and they are in the enclosed patch.

> > > (2) The default pg_hba.conf only covers localhost connections.
> >
> > As of this patch, it can be asked to cover all connections.
>
> + <term><option>--auth-hostssl=<replaceable class="parameter">authmethod</replaceable></option></term>
> + <listitem>
> + <para>
> + This option specifies the authentication method for users via
> fg
> + TLS connections used in <filename>pg_hba.conf</filename>
> + (<literal>hostssl</literal> lines).
> + </para>
> + </listitem>
>
> The relationship between --auth/--auth-local/--auth-host and --auth-hostssl/--auth-hostnossl is confusing. The former is for local connections, and the latter is for remote ones. Can we just add "remote" in the above documentation?

Done.

> Plus, you're adding the first option to initdb that handles remote connections. As the following execution shows, it doesn't warn about using "trust" for remote connections.
>
>
> $ initdb --auth=md5 --pwprompt --auth-hostssl=trust --auth-hostnossl=trust
> ...
> syncing data to disk ... ok
>
> Success. You can now start the database server using:
>
> pg_ctl -D /tuna/pg2 -l logfile start
>
>
>
> I think we should emit a warning message like the following existing one:
>
> --------------------------------------------------
> initdb: warning: enabling "trust" authentication for local connections
> You can change this by editing pg_hba.conf or using the option -A, or
> --auth-local and --auth-host, the next time you run initdb.
> -
> initdb: warning: enabling "trust" authentication

Done.

Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate