Re: Is "trust" really a good default? - Mailing list pgsql-hackers

From Bruce Momjian
Subject Re: Is "trust" really a good default?
Date
Msg-id 200407131646.i6DGkW910630@candle.pha.pa.us
Whole thread Raw
In response to Re: Is "trust" really a good default?  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
At this stage, I would be happy adding --ident to enable only ident, and
-W/--pwfile to enable only MD5, and allow initdb to default to full
local access (with a warning printed that package builders would at
least see).

---------------------------------------------------------------------------

Tom Lane wrote:
> Robert Treat <xzilla@users.sourceforge.net> writes:
> > I am sure Chris would back me up on saying that the inability to
> > authenticate a database connection is the #1 support problem on the
> > phppgadmin mailing lists.... and you want to make this harder for
> > people??  
> 
> The other thing that bothers me about this proposal is that password
> auth is certainly the least convenient-to-use auth method we have,
> and it encourages insecure practices like coding passwords right into
> access scripts.  So I'm not pleased with the idea of making it the
> default.  For local-access-only installations, either IDENT or
> socket-file-permissions-based access control is likely to be a much more
> usable choice, but I don't think we can usefully make either of those
> the default either.  So it still comes down to the DBA having to make a
> conscious choice.
> 
> If what you want to do is raise the visibility of the need to make that
> choice, we could do something like this:
> 
>     initdb --trust
>         installs pg_hba.conf with TRUST local auth, same as now
>     initdb with -W or --pwfile
>         installs pg_hba.conf with MD5 local auth
>     initdb with no relevant switch
>         installs pg_hba.conf with REJECT local auth
> 
> thus forcing the DBA to make some choice before he can do anything.
> 
> We could also add initdb --ident to install with IDENT local auth,
> which would be a cleaner solution for the distros that are currently
> enforcing that policy via a patch to pg_hba.conf.sample.
> 
> I suspect however that we'd wind up reverting the whole thing before
> we get out of beta, because one thing I guarantee you is there will
> be lots of complaints.
> 
> The only part of this discussion that I'd really be prepared to buy into
> is the part about *if* you use -W or --pwfile, then set up pg_hba.conf
> with MD5 as the default auth (because that's probably what the user
> wants anyway).  But otherwise I think we should leave initdb's behavior
> alone.  I do not agree with trying to force people to use passwords.
> 
>             regards, tom lane
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
>     (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
> 

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
359-1001+  If your life is a hard drive,     |  13 Roberts Road +  Christ can be your backup.        |  Newtown Square,
Pennsylvania19073
 


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Is "trust" really a good default?
Next
From: Tom Lane
Date:
Subject: Re: Release planning (was: Re: Status report)