Re: authentication

On Tue, 2004-08-24 at 15:15, tim hall wrote:
> > host=localhost uses TCP/IP. This is not the same as your local setup,
> > where host=<empty string>, which uses a Unix socket. If you specify
> > host=<empty string> to pgaccess, it should work like your local
> > connection and use a Unix socket (so long as the client is on the same
> > machine as the postmaster). As Tom pointed out, if you use a TCP/IP
> > connection, you need an ident server running on the client's machine to
> > support IDENT authentication.
>
> Ah right. I switched to trust based authentication so I could COPY my data
> into place on localhost, not ideal in the long term, but it'll do while I
> figure things out. The word 'server' was the missing bit from my
> understanding of IDENT, I'd read the bit in the docs that says 'start the
> server with the -i option'

or with the tcp_ip option in postgresql.conf
[shouldn't that connection error message be updated?]

> and had got as far as reading
> through /etc/init.d/postgresql in the hope there was something obvious in
> there :-] Perhaps it will make more sense if I look in the right place!
>
> > By the way, you should not use IDENT authentication between machines
> > unless you fully trust the administration of the client machines; faking
> > ident responses is quite easy to do.

On the other hand IDENT authentication for local connections is very
secure; subverting that would need the local kernel to be compromised.

> OK, thanks for the warning. I'll get it working the way I want it with my
> local version of apache before I try to deal with external machines. I'm
> going to have to be VERY sure of what I'm doing as my external server (and
> entire LUG) is LAMP oriented and (rightly) rather paranoid security-wise. I
> discover they had some misapprehensions about the sturdiness and maturity of
> PostgreSQL.

I think LAMP implies web browser, in which case use of IDENT
authentication is inappropriate any way. That's because the connection
is made by the webserver, which is certainly not running with the
username that wants to log into postgresql. With a browser, you need to
use md5 authentication and prompt for username and password.

> Well, I'll continue my studies and hope to do a pypg presentation for my local
> group at some point in the not too distant future. Meeting you (Oliver) at
> Olympia in April helped me decide to stop flirting with LAMP and get on with
> the approach that I feel comfortable with (PostgreSQL + Python).

Nice to hear that!

--
Oliver Elphick olly(at)lfix(dot)co(dot)uk
Isle of Wight http://www.lfix.co.uk/oliver
GPG: 1024D/A54310EA 92C8 39E7 280E 3631 3F0E 1EC0 5664 7A2F A543 10EA
========================================
"I saw in the night visions, and, behold, one like the
Son of man came with the clouds of heaven, and came to
the Ancient of days, and they brought him near before
him. And there was given him dominion, and glory, and
a kingdom, that all people, nations, and languages,
should serve him; his dominion is an everlasting
dominion, which shall not pass away, and his kingdom
that which shall not be destroyed."
Daniel 7:13,14