Postgres Pro
Downloads
Home   >   mailing lists

Re: Disabling trust/ident authentication configure option - Mailing list pgsql-hackers

From Josh Berkus
Subject Re: Disabling trust/ident authentication configure option
Date
Msg-id 55596375.7070601@agliodbs.com
Whole thread Raw
In response to Re: Disabling trust/ident authentication configure option  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: Disabling trust/ident authentication configure option  (Jim Nasby <Jim.Nasby@BlueTreble.com>)
Re: Disabling trust/ident authentication configure option  (Volker Aßmann <volker.assmann@gmail.com>)
List pgsql-hackers
Tree view 
> On Wed, May 13, 2015 at 2:18 PM, Robert Haas <robertmhaas@gmail.com
> <mailto:robertmhaas@gmail.com>> wrote:
>     All of this is fairly far afield from the original topic of this
>     thread, which was whether a configure option disabling trust + ident
>     authentication would be a good idea.  I said no.  Then we had a bunch
>     of counter-proposals:
> 
>     Alvaro: Support a configure switch whose value is a comma-separated
>     list of authentication methods to disable.

So, I'm going to throw in why a configure option to disable "trust,
peer" is an unworkable idea.

The goal here was stated to preventing authentication misconfiguration
by shortsighted admins who have superuser access and the ability to
change pg_hba.conf.  This is tantamount to giving someone a gun and
bullets, but expecting duct tape across the cartridge slot to prevent
them from loading or using the gun.

Let's say we offered a compile-time option, and then someone built a
package postgresql-9.6-secureauth.deb.  So, your lazy admin is having
trouble debugging an auth problem and wants to set "trust".  But they
can't.  So they search on Google and figure out how to download and
install postgresql-9.6-normalauth.deb.  Or, alternately, they set all
passwords to "password" or to "".  Or they put .pgpass files on all
machines.  Or they put the password in pgbouncer and set pgbouncer to
"trust".

You've added exactly one additional step in their way, and not a
particularly difficult one.  It simply doesn't solve the problem you're
trying to solve, which is unsurprising, because technology has never
been able to solve the problem of untrustworthy humans with positions of
responsibility.

Now, if you wanted to add an audit log every time someone changes an
auth method in pg_hba.conf?  I'd be all for that, I can see all kinds of
uses for that, and it might actually accomplish something effective.

If you disagree with me, well, it would be very easy to hack out the
auth methods you don't like and compile your own.  It *is* open source.

-- 
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com

pgsql-hackers by date:

Previous
From: Josh Berkus
Date:
Subject: Re: jsonb concatenate operator's semantics seem questionable
Next
From: Peter Geoghegan
Date:
Subject: Re: jsonb concatenate operator's semantics seem questionable