Postgres Pro
Downloads
Home   >   mailing lists

RE: Let people set host(no)ssl settings from initdb - Mailing list pgsql-hackers

From tsunakawa.takay@fujitsu.com
Subject RE: Let people set host(no)ssl settings from initdb
Date
Msg-id OSAPR01MB50734B39A76E65BCD09E5B73FE3E0@OSAPR01MB5073.jpnprd01.prod.outlook.com
Whole thread Raw
In response to Re: Let people set host(no)ssl settings from initdb  (David Fetter <david@fetter.org>)
Responses Re: Let people set host(no)ssl settings from initdb  (David Fetter <david@fetter.org>)
List pgsql-hackers
Tree view 
From: David Fetter <david@fetter.org>
> > But I see two problems with the proposed approach: (1) initdb
> > doesn't support setting up SSL, so the only thing you can achieve
> > here is to reject all TCP/IP connections, until you have set up SSL.
>
> I don't believe any special setup is needed to require TLS for the
> connection, which is what this patch handles in a straightforward way.

I think this feature can be useful because it's common to reject remote non-TLS connections.  Eliminating the need to
scriptfor pg_hba.conf is welcome.  Setting GUC parameters just after initdb is relatively easy, because we can simply
addlines at the end of postgresql.conf.  But pg_hba.conf is not because the first matching entry is effective. 

In terms of rejecting non-secure remote connections, should hostgssenc/hostnogssenc also be handled similarly?


> > (2) The default pg_hba.conf only covers localhost connections.
>
> As of this patch, it can be asked to cover all connections.

+      <term><option>--auth-hostssl=<replaceable class="parameter">authmethod</replaceable></option></term>
+      <listitem>
+       <para>
+        This option specifies the authentication method for users via
fg
+        TLS connections used in <filename>pg_hba.conf</filename>
+        (<literal>hostssl</literal> lines).
+       </para>
    +      </listitem>

The relationship between --auth/--auth-local/--auth-host and --auth-hostssl/--auth-hostnossl is confusing.  The former
isfor local connections, and the latter is for remote ones.  Can we just add "remote" in the above documentation? 

Plus, you're adding the first option to initdb that handles remote connections.  As the following execution shows, it
doesn'twarn about using "trust" for remote connections. 


$ initdb --auth=md5 --pwprompt --auth-hostssl=trust --auth-hostnossl=trust
...
syncing data to disk ... ok

Success. You can now start the database server using:

    pg_ctl -D /tuna/pg2 -l logfile start



I think we should emit a warning message like the following existing one:

--------------------------------------------------
initdb: warning: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.
-
initdb: warning: enabling "trust" authentication


Regards
Takayuki Tsunakawa

pgsql-hackers by date:

Previous
From: Michael Paquier
Date:
Subject: Re: [PATCH] Increase the maximum value track_activity_query_size
Next
From: Amit Kapila
Date:
Subject: Re: pgsql: Add basic TAP tests for psql's tab-completion logic.