Re: Is "trust" really a good default? - Mailing list pgsql-hackers
| From | Bruce Momjian |
|---|---|
| Subject | Re: Is "trust" really a good default? |
| Date | |
| Msg-id | 200407131646.i6DGkW910630@candle.pha.pa.us Whole thread Raw |
| In response to | Re: Is "trust" really a good default? (Tom Lane <tgl@sss.pgh.pa.us>) |
| List | pgsql-hackers |
At this stage, I would be happy adding --ident to enable only ident, and -W/--pwfile to enable only MD5, and allow initdb to default to full local access (with a warning printed that package builders would at least see). --------------------------------------------------------------------------- Tom Lane wrote: > Robert Treat <xzilla@users.sourceforge.net> writes: > > I am sure Chris would back me up on saying that the inability to > > authenticate a database connection is the #1 support problem on the > > phppgadmin mailing lists.... and you want to make this harder for > > people?? > > The other thing that bothers me about this proposal is that password > auth is certainly the least convenient-to-use auth method we have, > and it encourages insecure practices like coding passwords right into > access scripts. So I'm not pleased with the idea of making it the > default. For local-access-only installations, either IDENT or > socket-file-permissions-based access control is likely to be a much more > usable choice, but I don't think we can usefully make either of those > the default either. So it still comes down to the DBA having to make a > conscious choice. > > If what you want to do is raise the visibility of the need to make that > choice, we could do something like this: > > initdb --trust > installs pg_hba.conf with TRUST local auth, same as now > initdb with -W or --pwfile > installs pg_hba.conf with MD5 local auth > initdb with no relevant switch > installs pg_hba.conf with REJECT local auth > > thus forcing the DBA to make some choice before he can do anything. > > We could also add initdb --ident to install with IDENT local auth, > which would be a cleaner solution for the distros that are currently > enforcing that policy via a patch to pg_hba.conf.sample. > > I suspect however that we'd wind up reverting the whole thing before > we get out of beta, because one thing I guarantee you is there will > be lots of complaints. > > The only part of this discussion that I'd really be prepared to buy into > is the part about *if* you use -W or --pwfile, then set up pg_hba.conf > with MD5 as the default auth (because that's probably what the user > wants anyway). But otherwise I think we should leave initdb's behavior > alone. I do not agree with trying to force people to use passwords. > > regards, tom lane > > ---------------------------(end of broadcast)--------------------------- > TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org) > -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001+ If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania19073
pgsql-hackers by date: