Re: Use "samehost" by default in pg_hba.conf?

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > I'm not sure if it out-ranks the advantages of the change for buildfarm
> > support, but the above change isn't actually without any disadvantage.
> > Specifically, not every auth mechanism that works with -h machine_name
> > works with -h localhost, but the first record in pg_hba which is matched
> > is used. I could have:
>
> > host all all 127.0.0.1/32 @authmethod@
> > host all all A.B.C.D/32 @authmethod2@
>
> If you've got any such thing, you've got a *nondefault* pg_hba.conf
> file. Or are you opining that people who are smart enough to set
> that up are too stupid to replace a single "samehost" entry with
> the two entries they need?

I was mainly just trying to address that 127.0.0.1->samehost is not a
change without possible downfalls, in general. If a packager imposed
or recommended such a change it could break things for end users. We do
use 'host all all 127.0.0.1/32 md5' in the default Debian configuration.
If that was later changed to 'samehost' and then the diff applied to
some configurations (something Debian wouldn't do without asking, but it
might ask if you wanted to use the maintainer's version of the file, and
I know that I've done that in the past and then added back my local
changes, especially if I can do so easily by just adding lines to the
end of the file..), things could break.

I have no idea how/if this would apply anywhere else. In general, I
think the user could figure out, but running these kind of issues down
can be annoying when it's not necessairly clear what's happening.

My comment was primairly for Martin's benefit and could probably be
resolved by just adding some commentary to the default config saying
that this might override other pg_hba lines below which used to apply
to connections over the local system's network IP.

Thanks,

Stephen