Re: Disabling trust/ident authentication configure option

From: Volker Aßmann <volker(dot)assmann(at)gmail(dot)com>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Stephen Frost <sfrost(at)snowman(dot)net>, Josh Berkus <josh(at)agliodbs(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Disabling trust/ident authentication configure option
Date: 2015-05-13 12:01:38
Message-ID: CAJBpAdwwX8MmHaqMu43YCLJLrpX=1uKAgzpwRBqU8xNX=920Kw@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Mon, May 11, 2015 at 10:00 PM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:

> On Thu, May 7, 2015 at 4:57 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> >> On Thu, May 7, 2015 at 11:02 AM, Stephen Frost <sfrost(at)snowman(dot)net>
> wrote:
> >> > I realize it's not going to be popular, but I'd love to have 'trust'
> >> > only allowed if a command-line option is passed to the postmaster or
> >> > something along those lines. It's really got no business being an
> >> > option for a network service like PG.
> >>
> >> I disagree wholeheartedly. There is such a thing as a trusted network.
> >
> > Likely a good topic of conversation to be had in Ottawa. :) I agree
> > that there are trusted networks, but the ones that I work with still
> > expect network services to require authentication and authorization.
> > Perhaps they're not really "trusted" then, from your perspective. On
> > the other hand, I suppose if you use pg_hba to limit which accounts can
> > be logged into with 'trust' then you might be able to have, say, a
> > "read-only" user/database that anyone could see. That's a pretty narrow
> > case though and I'd rather we figure out how to address it directly and
> > more specifically (no-password login roles?) than the broad
> > disable-all-authentication "trust" method.
>
> Let's suppose that you have an application server and a DB server
> running on the same node. That turns out to be too much load, so you
> move the application server to a separate machine and connect the two
> machines with a crossover cable, or a VLAN that has nothing else on
> it. To me, it's quite sane to want connections on that network to
> proceed without authentication or authorization. If you've got to
> open up the database more than that then, yes, you need authentication
> and authorization.
>
> --
> Robert Haas
> EnterpriseDB: http://www.enterprisedb.com
> The Enterprise PostgreSQL Company
>

Even in this case it still means that any breach in any of the network
services running on your application server would immediately own your
database, or at least everything your application can access. This applies
even to totally unrelated services running with restricted permissions.
Using password or certificate based authentication at least gives you the
additional security of local filesystem access controls and is not much
harder to setup. M2M authentication is always a difficult topic as the
"authentication tokens" have to be secured but I would agree that a more
specific / secure method than "disable-all-authentication" would be
preferable.

Best regards,

Volker

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Heikki Linnakangas 2015-05-13 12:15:53 Re: Sequence Access Method WIP
Previous Message Stephen Frost 2015-05-13 11:55:18 Re: RFC: Non-user-resettable SET SESSION AUTHORISATION