Re: Disable TRUST authentication by using ClientAuthentication_hook

2018-07-13 15:19 GMT+02:00 Fabrízio de Royes Mello <fabrizio(at)timbira(dot)com(dot)br>
:

>
> 2018-07-13 9:01 GMT-03:00 Guillaume Lelarge <guillaume(at)lelarge(dot)info>:
>
>> 2018-07-13 13:57 GMT+02:00 <kpi6288(at)gmail(dot)com>:
>>
>>> I’d like to disable the TRUST authentication method for certain servers
>>> where modification of pg_hba.conf and restarting a service is fairly easy
>>> for a number of users.
>>>
>>>
>>>
>>> I looked at this example https://wiki.postgresql.org/im
>>> ages/e/e3/Hooks_in_postgresql.pdf It appears that creating a
>>> ClientAuthentication_hook and call ereport(ERROR) in case that
>>> Port->HbaLine contains TRUST would do the job. Is that right?
>>>
>>>
>>>
>>> I am aware that this would not make the server entirely secure but it
>>> would make it at least a bit more difficult to enter.
>>>
>>>
>>>
>>
>> I'm not sure this is such a good idea. You may need the trust
>> authentication method, for example if you forgot the superuser password.
>> Otherwise, there's good chance you might use the ClientAuthentication hook
>> to do what you want.
>>
>>
>>
> If you're an server admin you can disable the extension (editing
> shared_pre_load_libraries GUC), change password and then enable the
> extension again...
>
>
That would require a restart.

And maybe you can implement a simple way to enable/disable this hook inside
> the extension.
>
>
That looks like a better idea.

--
Guillaume.