Re: Let people set host(no)ssl settings from initdb

From: David Fetter <david(at)fetter(dot)org>
To: "tsunakawa(dot)takay(at)fujitsu(dot)com" <tsunakawa(dot)takay(at)fujitsu(dot)com>
Cc: Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL Development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Let people set host(no)ssl settings from initdb
Date: 2020-01-17 19:47:49
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

On Wed, Jan 08, 2020 at 02:53:47AM +0000, tsunakawa(dot)takay(at)fujitsu(dot)com wrote:
> From: David Fetter <david(at)fetter(dot)org>
> > > But I see two problems with the proposed approach: (1) initdb
> > > doesn't support setting up SSL, so the only thing you can achieve
> > > here is to reject all TCP/IP connections, until you have set up SSL.
> >
> > I don't believe any special setup is needed to require TLS for the
> > connection, which is what this patch handles in a straightforward way.
> I think this feature can be useful because it's common to reject remote non-TLS connections. Eliminating the need to script for pg_hba.conf is welcome. Setting GUC parameters just after initdb is relatively easy, because we can simply add lines at the end of postgresql.conf. But pg_hba.conf is not because the first matching entry is effective.
> In terms of rejecting non-secure remote connections, should hostgssenc/hostnogssenc also be handled similarly?

Yes, and they are in the enclosed patch.

> > > (2) The default pg_hba.conf only covers localhost connections.
> >
> > As of this patch, it can be asked to cover all connections.
> + <term><option>--auth-hostssl=<replaceable class="parameter">authmethod</replaceable></option></term>
> + <listitem>
> + <para>
> + This option specifies the authentication method for users via
> fg
> + TLS connections used in <filename>pg_hba.conf</filename>
> + (<literal>hostssl</literal> lines).
> + </para>
> + </listitem>
> The relationship between --auth/--auth-local/--auth-host and --auth-hostssl/--auth-hostnossl is confusing. The former is for local connections, and the latter is for remote ones. Can we just add "remote" in the above documentation?


> Plus, you're adding the first option to initdb that handles remote connections. As the following execution shows, it doesn't warn about using "trust" for remote connections.
> $ initdb --auth=md5 --pwprompt --auth-hostssl=trust --auth-hostnossl=trust
> ...
> syncing data to disk ... ok
> Success. You can now start the database server using:
> pg_ctl -D /tuna/pg2 -l logfile start
> I think we should emit a warning message like the following existing one:
> --------------------------------------------------
> initdb: warning: enabling "trust" authentication for local connections
> You can change this by editing pg_hba.conf or using the option -A, or
> --auth-local and --auth-host, the next time you run initdb.
> -
> initdb: warning: enabling "trust" authentication


David Fetter <david(at)fetter(dot)org>
Phone: +1 415 235 3778

Remember to vote!
Consider donating to Postgres:

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Paul A Jungwirth 2020-01-17 20:07:54 Re: range_agg
Previous Message Alvaro Herrera 2020-01-17 19:22:18 Re: Remove page-read callback from XLogReaderState.