Re: Disabling trust/ident authentication configure option - Mailing list pgsql-hackers

<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, May 11, 2015 at 10:00 PM, Robert Haas <span
dir="ltr"><<ahref="mailto:robertmhaas@gmail.com" target="_blank">robertmhaas@gmail.com</a>></span> wrote:<br
/><blockquoteclass="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div
class="HOEnZb"><divclass="h5">On Thu, May 7, 2015 at 4:57 PM, Stephen Frost <<a
href="mailto:sfrost@snowman.net">sfrost@snowman.net</a>>wrote:<br /> > * Robert Haas (<a
href="mailto:robertmhaas@gmail.com">robertmhaas@gmail.com</a>)wrote:<br /> >> On Thu, May 7, 2015 at 11:02 AM,
StephenFrost <<a href="mailto:sfrost@snowman.net">sfrost@snowman.net</a>> wrote:<br /> >> > I realize
it'snot going to be popular, but I'd love to have 'trust'<br /> >> > only allowed if a command-line option is
passedto the postmaster or<br /> >> > something along those lines.  It's really got no business being an<br />
>>> option for a network service like PG.<br /> >><br /> >> I disagree wholeheartedly.  There is
sucha thing as a trusted network.<br /> ><br /> > Likely a good topic of conversation to be had in Ottawa. :)  I
agree<br/> > that there are trusted networks, but the ones that I work with still<br /> > expect network services
torequire authentication and authorization.<br /> > Perhaps they're not really "trusted" then, from your
perspective. On<br /> > the other hand, I suppose if you use pg_hba to limit which accounts can<br /> > be logged
intowith 'trust' then you might be able to have, say, a<br /> > "read-only" user/database that anyone could see. 
That'sa pretty narrow<br /> > case though and I'd rather we figure out how to address it directly and<br /> >
morespecifically (no-password login roles?) than the broad<br /> > disable-all-authentication "trust" method.<br
/><br/></div></div>Let's suppose that you have an application server and a DB server<br /> running on the same node. 
Thatturns out to be too much load, so you<br /> move the application server to a separate machine and connect the
two<br/> machines with a crossover cable, or a VLAN that has nothing else on<br /> it.  To me, it's quite sane to want
connectionson that network to<br /> proceed without authentication or authorization.  If you've got to<br /> open up
thedatabase more than that then, yes, you need authentication<br /> and authorization.<br /><div class="HOEnZb"><div
class="h5"><br/> --<br /> Robert Haas<br /> EnterpriseDB: <a href="http://www.enterprisedb.com"
target="_blank">http://www.enterprisedb.com</a><br/> The Enterprise PostgreSQL Company<br
/></div></div></blockquote></div><br/></div><div class="gmail_extra">Even in this case it still means that any breach
inany of the network services running on your application server would immediately own your database, or at least
everythingyour application can access. This applies even to totally unrelated services running with restricted
permissions.Using password or certificate based authentication at least gives you the additional security of local
filesystemaccess controls and is not much harder to setup. M2M authentication is always a difficult topic as the
"authenticationtokens" have to be secured but I would agree that a more specific / secure method than
"disable-all-authentication"would be preferable.<br /><br /></div><div class="gmail_extra">Best regards,<br /><br
/></div><divclass="gmail_extra">    Volker<br /></div><div class="gmail_extra"><br /></div></div>