Re: Disable TRUST authentication by using ClientAuthentication_hook

2018-07-13 9:01 GMT-03:00 Guillaume Lelarge <guillaume(at)lelarge(dot)info>:

> 2018-07-13 13:57 GMT+02:00 <kpi6288(at)gmail(dot)com>:
>
>> I’d like to disable the TRUST authentication method for certain servers
>> where modification of pg_hba.conf and restarting a service is fairly easy
>> for a number of users.
>>
>>
>>
>> I looked at this example https://wiki.postgresql.org/im
>> ages/e/e3/Hooks_in_postgresql.pdf It appears that creating a
>> ClientAuthentication_hook and call ereport(ERROR) in case that
>> Port->HbaLine contains TRUST would do the job. Is that right?
>>
>>
>>
>> I am aware that this would not make the server entirely secure but it
>> would make it at least a bit more difficult to enter.
>>
>>
>>
>
> I'm not sure this is such a good idea. You may need the trust
> authentication method, for example if you forgot the superuser password.
> Otherwise, there's good chance you might use the ClientAuthentication hook
> to do what you want.
>
>
>
If you're an server admin you can disable the extension (editing
shared_pre_load_libraries GUC), change password and then enable the
extension again...

And maybe you can implement a simple way to enable/disable this hook inside
the extension.

Regards,

--
Fabrízio de Royes Mello Timbira - http://www.timbira.com.br/
PostgreSQL: Consultoria, Desenvolvimento, Suporte 24x7 e Treinamento