On 10/29/2014 10:45 AM, Tom Lane wrote:
> Craig Ringer <craig@2ndquadrant.com> writes:
>> At pgconf-eu Álvaro and I were discussing the idea of allowing 'peer'
>> and 'ident' authentication to fall back to md5 if the peer/ident check
>> failed.
>
> I think it would be acceptable to define *new* auth modes that work
> that way. I'm violently against redefining the meaning of existing
> pg_hba.conf entries like this: it's not terribly hard to imagine
> cases where it'd be a security problem, and even if you claim it isn't,
> people will get bent out of shape if they think you're poking holes
> in their oh-so-carefully-chosen authentication arrangements.
Well, that's why I mentioned control over fallback via an option to
peer/ident below.
>> If anyone's concerned about that I think it'd be reasonable to
>> add an option in pg_hba.conf to allow 'ident' and 'peer' to be qualified
>> with a no_md5_fallback mode.
>
> You've got that exactly backwards.
There's no point adding a usability improvement that's off by default.
Distros can still enable it, though, and they're what I'm interested in.
Nobody uses PostgreSQL's initdb default for pg_hba.conf ('trust') anyway.
I don't care in the slightest how it's spelled; these:
peer peer with_md5_fallback peer md5_fallback=on peer_or_md5
... or whatever else. Personally I'm not concerned about allowing a user
who has login rights on the database to log in with a correct password
in a new major release where we can release-note the change, but if you
are, I don't much care if it's off by default in core. Distros can fix that.
-- Craig Ringer http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services
