Re: Assigning password to the superuser

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Justin Hawkins <justin(at)internode(dot)com(dot)au>
Cc: pgsql-general <pgsql-general(at)postgresql(dot)org>
Subject: Re: Assigning password to the superuser
Date: 2005-04-15 04:17:53
Message-ID: 29221.1113538673@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Justin Hawkins <justin(at)internode(dot)com(dot)au> writes:
> I'm putting together a system to monitor multiple postgresql
> installations and to gain full access to all remote statistics I'd like
> to connect as the super user.

> To do that I'd add a single IP entry in pg_hba.conf for the monitoring
> machine and give the superuser a password.

> The things I know I want to keep in mind:

> o Ensure I only allow user pgsql access from that one IP
> o Ensure I'm not passing the password or hash in cleartext over the
> general internet
> o (Alternatively, use SSL for all superuser connections)

I'd recommend enforcing SSL connections (see "hostssl"). If you are
pulling stats, there could be plenty of sensitive info passing over that
connection, eg the details of other people's queries. The password is
far from the only thing you want to protect.

> o Keep local 'trust' access for 'all' so I can continue to use tools
> like pg_dump locally without passwords

That is an orthogonal issue. However, have you thought about local IDENT?
Or for that matter, ~/.pgpass files work fine.

regards, tom lane

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Uwe C. Schroeder 2005-04-15 04:21:14 Re: psql performance
Previous Message Neil Conway 2005-04-15 04:09:26 Re: plpgsql default arguments