Re: Using both ident and password in pg_hba.conf - Mailing list pgsql-general

From D'Arcy J.M. Cain
Subject Re: Using both ident and password in pg_hba.conf
Date
Msg-id 20160509224353.6b3de40e@imp
Whole thread Raw
In response to Re: Using both ident and password in pg_hba.conf  (Scott Mead <scottm@openscg.com>)
Responses Re: Using both ident and password in pg_hba.conf  (Bruno Wolff III <bruno@wolff.to>)
List pgsql-general
On Mon, 9 May 2016 17:50:52 -0400
Scott Mead <scottm@openscg.com> wrote:
> > was thinking of something like this:
> >
> > host    all       joe@nobody  192.168.151.75/32       password
> > host    all       all         192.168.151.75/32       ident
> >
> > The "all@nobody" field is meant to specify that the remote user is
> > nobody but that they are connecting as user joe.  You would be able
> > to use "all" as well.  You don't even need to do an ident check
> > unless the auth method is "trust" which would be silly anyway.  In
> > fact "password" is the only method that even makes any sense at all.
>
> So, at a high-level, you want:
>
> - Users deploying php scripts in apache to require a password ( btw
> -- use md5, not password)

I was using "password" in the generic sense.

> - Users running php scripts from their shell accounts to connect with
> no password to the database
>
>   Is that correct?

Absolutely not.  I am allowing ident authentication for users because I
trust the client machine but require password (md5, whatever) when they
want to connect to their database but I can't confirm who they are.

>   Why not just require that everyone use an (again: *md5*) to
> connect?  It would be significantly more secure.  Is their a
> requirement that shell account users be able to connect without
> providing a password?

They aren't actually shell account users.  I have a shell machine too
but this is from the web server.  If I require passwords then they have
to store them in their scripts.  The scripts can be secured from other
users but not admins and since we don't otherwise know their raw
passwords I wouldn't like to expose them, even to us.

Of course PHP scripts have to run as nobody so I have no choice other
than to have them store passwords in various config.php files but PHP
users are used to that.  I would like to fix that but that's a war for
another day.

--
D'Arcy J.M. Cain <darcy@druid.net>         |  Democracy is three wolves
http://www.druid.net/darcy/                |  and a sheep voting on
+1 416 788 2246     (DoD#0082)    (eNTP)   |  what's for dinner.
IM: darcy@Vex.Net, VoIP: sip:darcy@druid.net


pgsql-general by date:

Previous
From: rverghese
Date:
Subject: Inserting into a master table with partitions does not return rows affected.
Next
From: "D'Arcy J.M. Cain"
Date:
Subject: Re: Using both ident and password in pg_hba.conf