From: | Craig Ringer <craig(at)2ndquadrant(dot)com> |
---|---|
To: | pgsql-pkg-yum <pgsql-pkg-yum(at)postgresql(dot)org> |
Subject: | Disable 'ident' as default auth method |
Date: | 2019-10-09 03:22:02 |
Message-ID: | CAMsr+YE+K65nHdP-i82F=vKHZvLU+woT-WUkA0arPZwv=K+YEw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-pkg-yum |
The PGDG RPM packages for PostgreSQL use 'ident' as the default auth method
for loopback TCP connections.
This should be changed, as ident auth is not enabled on RH/Fedora systems
by default. ident is insecure outside the loopback interface and should be
strongly discouraged anyway.
This is the user's typical experience:
myuser$ sudo -u postgres -i
postgres$ psql -h localhost
psql: FATAL: Ident authentication failed for user "postgres"
Using 'md5' with no default pw isn't much better:
$ sudo -i -u postgres psql -h localhost postgres
Password for user postgres:
psql: fe_sendauth: no password supplied
but if we can't do as Debian does and prompt for an initial pw (where
interactive), at least it's consistent with how Pg is installed elsewhere.
Otherwise it could just be 'reject' so users can tell what's going on and
are directed to the appropriate file:
$ sudo -i -u postgres psql -h localhost postgres
psql: FATAL: pg_hba.conf rejects connection for host "127.0.0.1", user
"postgres", database "postgres", SSL off
(It's a shame we can't easily add a "HINT: try omitting the host setting to
use local unix socket connections instead" when we see conn failures on
loopback, but we probably can't.)
--
Craig Ringer http://www.2ndQuadrant.com/
2ndQuadrant - PostgreSQL Solutions for the Enterprise
From | Date | Subject | |
---|---|---|---|
Next Message | Markus Bräunig | 2019-10-09 04:36:33 | Re: Disable 'ident' as default auth method |
Previous Message | Enn Rebaste | 2019-10-08 11:51:23 | oracle_fdw is missing from repository |