Re: Logging of matching pg_hba.conf entry during auth skips trust auth, potential security issue

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Jacob Champion <jchampion(at)timescale(dot)com>
Cc: Shaun Thomas <shaun(dot)thomas(at)enterprisedb(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Logging of matching pg_hba.conf entry during auth skips trust auth, potential security issue
Date: 2023-08-17 16:01:26
Message-ID: ZN5EVlL9ozTBJm8e@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Greetings,

* Jacob Champion (jchampion(at)timescale(dot)com) wrote:
> Maybe something like the attached?

> - I used the phrasing "connection not authenticated" in the hopes that
> it's a bit more greppable than just "connection", especially in
> combination with the existing "connection authenticated" lines.

That doesn't seem quite right ... admittedly, 'trust' isn't performing
authentication but there can certainly be an argument made that the
basic 'matched a line in pg_hba.conf' is a form of authentication, and
worse really, saying 'not authenticated' would seem to imply that we
didn't allow the connection when, really, we did, and that could be
confusing to someone.

Maybe 'connection allowed' instead..?

Thanks,

Stephen

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Nathan Bossart 2023-08-17 16:13:34 Re: Using defines for protocol characters
Previous Message Nathan Bossart 2023-08-17 15:26:28 Re: [PATCH] Add function to_oct