Thread: How to start without password
Hi! I want to make very secure postgresql and not allow connections witout passwords. I also remove all trusts from pg_hba.conf. Whe i start server i have to type my password. I want to know how can i then start at boot. I can't try because I can't boot whenever i want. I just want to be sure that if server crash would start postgre at boot time without that pass. And another question. I don't use tcp/ip sockets and i found that postgre is listening on udp port pgsql postgres 172 4 udp4 127.0.0.1:1024 127.0.0.1:1024 pgsql postgres 168 4 udp4 127.0.0.1:1024 127.0.0.1:1024 is this normal or am i missing something in config. -- bye, Uros mailto:uros@sir-mag.com
> -----Original Message----- > From: pgsql-general-owner@postgresql.org > [mailto:pgsql-general-owner@postgresql.org]On Behalf Of Uros Gruber > Sent: Saturday, June 08, 2002 12:39 PM > To: pgsql-general@postgresql.org > Subject: [GENERAL] How to start without password > Importance: High > > > Hi! > > I want to make very secure postgresql and not allow > connections witout passwords. I also remove all trusts > from pg_hba.conf. > > Whe i start server i have to type my password. I want to know > how can i then start at boot. I can't try because I can't > boot whenever i want. I just want to be sure that if server > crash would start postgre at boot time without that pass. PG server doesn't require a password to start up. How are you starting it up so that it requires a password? Normally, in your startup script (which presumably run as root), you'll have a line like: su -c postgres "/usr/local/pgsql/bin/pg_ctl start" to run pg_start as the user postgres. Since root can su to any user, no password is required. This has nothing to do with whether passwords are required to *connect* to PG; you're right, this is controlled by pg_hba.conf. - J.
"Joel Burton" <joel@joelburton.com> writes:
> PG server doesn't require a password to start up. How are you starting it up
> so that it requires a password?
The server does not care --- but pg_ctl tries to connect (via psql) in
order to see if the server is up yet. If you want to use password-based
authentication and not supply a password for "pg_ctl start", then you'll
need to specify the don't-wait-for-startup option to pg_ctl.
But my opinion is that password auth is a serious PITA; you are going to
have lots of trouble with backup scripts, not only startup, if you try
to run your installation like that. For local connections you should
consider whether you can't use ident authentication instead (assuming
you have a platform on which we support ident for Unix-socket
connections).
regards, tom lane
On Sat, 8 Jun 2002, Tom Lane wrote: > But my opinion is that password auth is a serious PITA; you are going to > have lots of trouble with backup scripts, not only startup, if you try > to run your installation like that. For local connections you should > consider whether you can't use ident authentication instead (assuming > you have a platform on which we support ident for Unix-socket > connections). If you're serious about security, allowing passwordless local connections is not a problem, because you don't allow anybody but admins to log into the Unix system, anyway. There are far, far more local root exploits than remote, and they appear at a faster rate, so it's rather risky to have local users on your system anyway. cjs -- Curt Sampson <cjs@cynic.net> +81 90 7737 2974 http://www.netbsd.org Don't you know, in this new Dark Age, we're all light. --XTC