| From: | Jacob Champion <jchampion(at)timescale(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Shaun Thomas <shaun(dot)thomas(at)enterprisedb(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: Logging of matching pg_hba.conf entry during auth skips trust auth, potential security issue |
| Date: | 2023-08-17 16:42:35 |
| Message-ID: | CAAWbhmjZ0OFvZ79i9cn7nNBHG_L5SWaBMz+NUi0qbZr4mVbjZQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Thu, Aug 17, 2023 at 9:01 AM Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> That doesn't seem quite right ... admittedly, 'trust' isn't performing
> authentication but there can certainly be an argument made that the
> basic 'matched a line in pg_hba.conf' is a form of authentication
I'm not personally on board with this argument, but...
> and
> worse really, saying 'not authenticated' would seem to imply that we
> didn't allow the connection when, really, we did, and that could be
> confusing to someone.
...with this one, I agree.
> Maybe 'connection allowed' instead..?
Hm. It hasn't really been allowed yet, either. To illustrate what I mean:
LOG: connection received: host=[local]
LOG: connection allowed: user="jacob" method=trust
(/home/jacob/src/data/pg16/pg_hba.conf:117)
LOG: connection authorized: user=jacob database=postgres
application_name=psql
Maybe "unauthenticated connection:"? "connection without
authentication:"? "connection skipped authentication:"?
--Jacob
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2023-08-17 16:46:34 | Re: Logging of matching pg_hba.conf entry during auth skips trust auth, potential security issue |
| Previous Message | Dave Cramer | 2023-08-17 16:34:36 | Re: Using defines for protocol characters |