| From: | "tsunakawa(dot)takay(at)fujitsu(dot)com" <tsunakawa(dot)takay(at)fujitsu(dot)com> |
|---|---|
| To: | 'David Fetter' <david(at)fetter(dot)org> |
| Cc: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL Development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | RE: Let people set host(no)ssl settings from initdb |
| Date: | 2020-01-08 02:53:47 |
| Message-ID: | OSAPR01MB50734B39A76E65BCD09E5B73FE3E0@OSAPR01MB5073.jpnprd01.prod.outlook.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
From: David Fetter <david(at)fetter(dot)org>
> > But I see two problems with the proposed approach: (1) initdb
> > doesn't support setting up SSL, so the only thing you can achieve
> > here is to reject all TCP/IP connections, until you have set up SSL.
>
> I don't believe any special setup is needed to require TLS for the
> connection, which is what this patch handles in a straightforward way.
I think this feature can be useful because it's common to reject remote non-TLS connections. Eliminating the need to script for pg_hba.conf is welcome. Setting GUC parameters just after initdb is relatively easy, because we can simply add lines at the end of postgresql.conf. But pg_hba.conf is not because the first matching entry is effective.
In terms of rejecting non-secure remote connections, should hostgssenc/hostnogssenc also be handled similarly?
> > (2) The default pg_hba.conf only covers localhost connections.
>
> As of this patch, it can be asked to cover all connections.
+ <term><option>--auth-hostssl=<replaceable class="parameter">authmethod</replaceable></option></term>
+ <listitem>
+ <para>
+ This option specifies the authentication method for users via
fg
+ TLS connections used in <filename>pg_hba.conf</filename>
+ (<literal>hostssl</literal> lines).
+ </para>
+ </listitem>
The relationship between --auth/--auth-local/--auth-host and --auth-hostssl/--auth-hostnossl is confusing. The former is for local connections, and the latter is for remote ones. Can we just add "remote" in the above documentation?
Plus, you're adding the first option to initdb that handles remote connections. As the following execution shows, it doesn't warn about using "trust" for remote connections.
$ initdb --auth=md5 --pwprompt --auth-hostssl=trust --auth-hostnossl=trust
...
syncing data to disk ... ok
Success. You can now start the database server using:
pg_ctl -D /tuna/pg2 -l logfile start
I think we should emit a warning message like the following existing one:
--------------------------------------------------
initdb: warning: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.
-
initdb: warning: enabling "trust" authentication
Regards
Takayuki Tsunakawa
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Kapila | 2020-01-08 02:59:38 | Re: pgsql: Add basic TAP tests for psql's tab-completion logic. |
| Previous Message | Michael Paquier | 2020-01-08 01:56:30 | Re: [PATCH] Increase the maximum value track_activity_query_size |