| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Atul Kumar <akumar14871(at)gmail(dot)com> |
| Cc: | pgsql-general <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: purpose of an entry in pg_hba.conf file |
| Date: | 2023-10-26 00:22:40 |
| Message-ID: | CAKFQuwYBFufC2QdchiqbTV2o1rH_tYCoC3co-Wk8xPnN9OfAjQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, Oct 25, 2023 at 5:11 PM Atul Kumar <akumar14871(at)gmail(dot)com> wrote:
> Hi,
>
> As you know already, pg_hba.conf file always has the below entry after
> successful installation of postgres.
>
> host all all 127.0.0.1/32 trust
>
>
> Please let me know what is the exact purpose of this entry and what would
> be the impact of removing it on other tools/processes like pgbouncer, pem,
> replication etc ?
>
>
>
While that may be a true statement for installation from source I'm pretty
certain most packagers have a more tightly controlled setup that doesn't
involve "trust" authentication.
The reason behind choosing to include that specific line is to minimize the
amount of post-install effort needed for one to connect to the server from
the local machine, which is often a personal machine with only the "DBA"
having access to it.
The better and more widely implemented default is requiring a password for
host while accepting peer for local.
All external tools should be told what credentials to use to connect to the
server and those credentials added to the system and a more restrictive
pg_hba.conf entry added to permit those connections. All trust connections
in pg_hba.conf should be removed from it as quickly as possible.
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Guillaume Lelarge | 2023-10-26 00:22:48 | Re: setting up streaming replication, part 2 |
| Previous Message | Pól Ua Laoínecháin | 2023-10-26 00:21:18 | Problem with CAST-ing - am I missing something? |