Postgres Pro
Downloads
Home   >   mailing lists

Re: The pg_hba.conf file - Mailing list pgsql-novice

From Bruno Wolff III
Subject Re: The pg_hba.conf file
Date
Msg-id 20021219063751.GA12612@wolff.to
Whole thread Raw
In response to The pg_hba.conf file  (<ghaverla@freenet.edmonton.ab.ca>)
Responses Re: The pg_hba.conf file
Re: passing variables
List pgsql-novice
Tree view 
On Wed, Dec 18, 2002 at 22:38:59 -0700,
  ghaverla@freenet.edmonton.ab.ca wrote:
>
> 2 --------------------------------
> Next, authenication involving ident.  From what I've been told by
> more security concious people than myself, that ident can not be
> trusted off of the local machine.  And, I've seen some ident daemons

That depends on whether or not you trust the admistrator of the machine.
Under some circumstances it may make sense to trust ident on remote
machines.

> which apparently can be configured to lie.  Which leads me to ask
> the question, is ident trustworthy for local connections?  Certainly

Yes. If you can't trust the local machine, then you shouldn't be running
your postgres server on it. Note that ident for "local" (this doesn't
include connections to 127.0.0.1) connections does not depend on an ident
server.

> 3.1 ---------------------------------------------
> In the above local ... example, I suspect having "ident sameuser"
> as the authentication allowing access to the database "sameuser"
> restricts completely, but the "all" wildcard for the user seems out
> of place.  Something like:
>  local sameuser sameuser  ident sameuser
> seems to better describe the situation, that I only want these
> connections by UNIX UIDs to databases with the same name as
> the UNIX UID.

The 'all' in the users field indicates that all users can use the
database matching their username. If you only want some users to
be able to do this you can use a list or group there. Having
'sameuser' there wouldn't make much sense since the supplied user name is
also the same as the supplied user name.

> It's not unusual to see sample pg_hba.conf files, which have
> a
>   host  all all  0.0.0.0   0.0.0.0   reject
> line at the end.  Should a person have similar lines for hostssl
> and local connections?  I.e.:

Well the default will be to reject connections, so they aren't really needed
except to prevent accidents. However 'host' will match 'hostssl' connections
(but not vice versa), so you don't need hostssl in addition to host if you
do that. 'local' connections are different and need a separate entry.

pgsql-novice by date:

Previous
From:
Date:
Subject: The pg_hba.conf file
Next
From: Glenn
Date:
Subject: pgsql vs odbc and speed: clarification required