| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Andres Freund <andres(at)anarazel(dot)de> |
| Cc: | Josh Berkus <josh(at)agliodbs(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Volker Aßmann <volker(dot)assmann(at)gmail(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Disabling trust/ident authentication configure option |
| Date: | 2015-05-20 23:46:12 |
| Message-ID: | 20150520234612.GO26667@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Andres,
* Andres Freund (andres(at)anarazel(dot)de) wrote:
> On 2015-05-20 15:42:23 -0400, Stephen Frost wrote:
> > > So the first thing to establish is "other than Volker himself, who are
> > > we helping here?"
> >
> > I don't agree with this either. Providing a "bypass all authentication"
> > configuration option really isn't a good thing. Why don't packagers use
> > our default pg_hba.conf? Because it only makes sense in a development
> > type of environment. I'd argue the same is true for 'trust'.
>
> Uh. So if the shit hit the fan because you mismanaged a password
> rollover, kereberos is down, or something like that, and you can't
> access postgres anymore you want to recompile? And no peer isn't an
> answer isn't an answer, it's not available on windows. Your only way out
> is going to be single user mode. But wait, that's a security hole too.
Apologies for not being clearer. I agree that we need an alternative
for addressing this use-case before we can consider getting rid of
'trust' or not having it built into the binaries which are distributed.
In other words, I agree with you that we can't simply get rid of 'trust'
without having another solution. I *do* believe that a real single-user
mode that is only available to the owner of the cluster would go a long
way towards this goal. If 'trust' was only able to be used by the owner
of the database, I'd have much less of an issue with it.
> I find the arguments presented in this thread for a configure option
> entirely unconvincing. If you'd argued for a saner default
> authentication setup: I'd be on board with that. But this seems just a
> pointless exercise in making things more complicated.
Thankfully, the packagers have already addressed the insecure default
that the source build provides for pg_hba.conf and so we don't need to
worry about it (except perhaps for new distributions or new packagers,
but I hope they'll usually look at the existing packages and not just
distribute what we provide as the default pg_hba.conf).
Thanks!
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2015-05-20 23:48:38 | Re: Disabling trust/ident authentication configure option |
| Previous Message | Jim Nasby | 2015-05-20 23:36:11 | Re: Change pg_cancel_*() to ignore current backend |