Re: Logging of matching pg_hba.conf entry during auth skips trust auth, potential security issue

On Thu, Aug 17, 2023 at 12:54 PM Jacob Champion <jchampion(at)timescale(dot)com> wrote:
> On Thu, Aug 17, 2023 at 9:46 AM Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > Don't like 'skipped' but that feels closer.
> >
> > How about 'connection bypassed authentication'?
>
> Works for me; see v2.

For what it's worth, my vote would be for "connection authenticated:
... method=trust". The only reason we're not doing that is because
there's some argument that trusting that the client is who they say
they are is not really authentication at all. But this seems silly,
because we put "trust" in the "METHOD" column of pg_hba.conf, so in
that case we already treat it as an authentication method. Also, any
such line in pg_hba.conf still matches against the supplied IP address
mask, which I suppose could be viewed as a form of authentication. Or
maybe not. But I wonder if we're just being too persnickety about
language here, in a way that maybe isn't consistent with our previous
practice.

--
Robert Haas
EDB: http://www.enterprisedb.com