Hi Kevin,
Kevin Kempter wrote:
> Hi All;
>
>
> I'm looking for thoughts/feedback on the use of UNIX Sockets vs
> standard CIDR style access (i,e, Ident, MD5, etc) to a Postgres
> Cluster. What are the pros/cons, which is more secure and why, etc...
I think you're confusing the here. CIDR refers to a method of
addressing network IP ranges (or a single host which could be argued is
a network range of 1 address.) See
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.
Ident and MD5 refer to authentication methods that PostgreSQL supports,
and these methods of authentication can also be applied to a UNIX socket.
If you're asking whether a UNIX socket is preferable to a TCP/IP
connection (i.e. over a network interface) then a Unix socket is more
secure because it only allows the local machine to access it. Of course
a user account on the server could be hacked to gain access to the
server, so it isn't 100% secured to the local machine. With TCP/IP
connections you have the added benefit of being able to restrict/allow
access by IP address.
If you're asking which of the authentication methods (ident, MD5 etc) is
more secure then I would say that "trust" is obviously the least secure
as it allows anyone in without a password (providing the pg_hba rule
matches.) MD5 is more secure than "password" as the password is hashed
before being sent across the network. Ident is specific to a Unix
system and is only recommended for trusted networks where it's not
possible for a hacker to gain access (i.e. a private network not
connected to the outside world) so is insecure.
The remaining options, in my opinion, are only useful if they fit your
particular environment - for example, LDAP to authenticate against
Active Directory etc.
Regards,
Andy
