Thread: Improving pg_hba.conf

Improving pg_hba.conf

From
Bruce Momjian
Date:
We have the following item on TODO:
* Overhaul pg_hba.conf host-based authentication

Can people tell me what they want changed.  I know we need the pg_shadow
password field encrypted in the table and I will work on that now.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026
 


Re: Improving pg_hba.conf

From
Bruce Momjian
Date:
I don't think that belongs in pg_hba.conf.


> On Tue, 12 Jun 2001, Bruce Momjian wrote:
> 
> It might be work while to add restrictions in the config file for user
> level locking, I realize that it can be done now...but having it in the
> pg_hba.conf file could make it easier...
> 
> 
> 
> > We have the following item on TODO:
> >
> >     * Overhaul pg_hba.conf host-based authentication
> >
> > Can people tell me what they want changed.  I know we need the pg_shadow
> > password field encrypted in the table and I will work on that now.
> >
> > --
> >   Bruce Momjian                        |  http://candle.pha.pa.us
> >   pgman@candle.pha.pa.us               |  (610) 853-3000
> >   +  If your life is a hard drive,     |  830 Blythe Avenue
> >   +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
> >
> > ---------------------------(end of broadcast)---------------------------
> > TIP 4: Don't 'kill -9' the postmaster
> >
> 
>  Chris Bowlby,
>  -----------------------------------------------------
>  Web Developer @ Hub.org.
>  excalibur@hub.org
>  www.hub.org
>  1-902-542-3657
>  -----------------------------------------------------
> 
> 

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026
 


Re: Improving pg_hba.conf

From
Chris Bowlby
Date:
On Tue, 12 Jun 2001, Bruce Momjian wrote:

It might be work while to add restrictions in the config file for user
level locking, I realize that it can be done now...but having it in the
pg_hba.conf file could make it easier...



> We have the following item on TODO:
>
>     * Overhaul pg_hba.conf host-based authentication
>
> Can people tell me what they want changed.  I know we need the pg_shadow
> password field encrypted in the table and I will work on that now.
>
> --
>   Bruce Momjian                        |  http://candle.pha.pa.us
>   pgman@candle.pha.pa.us               |  (610) 853-3000
>   +  If your life is a hard drive,     |  830 Blythe Avenue
>   +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
>
Chris Bowlby,-----------------------------------------------------Web Developer @
Hub.org.excalibur@hub.orgwww.hub.org1-902-542-3657-----------------------------------------------------



Re: Improving pg_hba.conf

From
mlw
Date:
Bruce Momjian wrote:
> 
> We have the following item on TODO:
> 
>         * Overhaul pg_hba.conf host-based authentication
> 
> Can people tell me what they want changed.  I know we need the pg_shadow
> password field encrypted in the table and I will work on that now.

Why doesn't postgres put the contents pg_hba.conf in a table? That way it comes
for free when you reinitialize and restore a database?


Re: Re: Improving pg_hba.conf

From
Bruce Momjian
Date:
> Bruce Momjian wrote:
> > 
> > We have the following item on TODO:
> > 
> >         * Overhaul pg_hba.conf host-based authentication
> > 
> > Can people tell me what they want changed.  I know we need the pg_shadow
> > password field encrypted in the table and I will work on that now.
> 
> Why doesn't postgres put the contents pg_hba.conf in a table? That way it comes
> for free when you reinitialize and restore a database?

The file has to be read by the postmaster and the postmaster has no
access to data tables for speed and security reasons.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026
 


Re: Re: Improving pg_hba.conf

From
Peter Eisentraut
Date:
mlw writes:

> Why doesn't postgres put the contents pg_hba.conf in a table? That way it comes
> for free when you reinitialize and restore a database?

Because if you hosed that table you would have hosed your entire
installation.

-- 
Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter



Re: Re: Improving pg_hba.conf

From
Peter Eisentraut
Date:
Chris Bowlby writes:

> It might be work while to add restrictions in the config file for user
> level locking, I realize that it can be done now...but having it in the
> pg_hba.conf file could make it easier...

This would be mostly pointless since you can create locks with judicious
use of insert/update/delete.  I don't suppose you want to let those
commands run without the appropriate locks.

-- 
Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter



Re: Re: Improving pg_hba.conf

From
mlw
Date:
Peter Eisentraut wrote:

> mlw writes:
>
> > Why doesn't postgres put the contents pg_hba.conf in a table? That way it comes
> > for free when you reinitialize and restore a database?
>
> Because if you hosed that table you would have hosed your entire
> installation.
>

You could use a bki script to fix the problem in stand alone mode if need be. I
don't think breaking this table is really an issue. My only concerns would be the
chicken vs egg problem connecting to the system, and security. Assuming these issues
could be resolved, I think having this info in a table would be beneficial for
maintenance.




Re: Improving pg_hba.conf

From
Bruce Momjian
Date:
> We have the following item on TODO:
> 
>     * Overhaul pg_hba.conf host-based authentication
> 
> Can people tell me what they want changed.  I know we need the pg_shadow
> password field encrypted in the table and I will work on that now.

I haven't heard of any more issues with pg_hba.conf so I will mark the
item as done.  I did cleanup the comments in the file.  I have also
added a TODO item:
* Read pg_hba.conf only on postmaster startup or SIGHUP

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026
 


Re: Improving pg_hba.conf

From
David Ford
Date:
>
>
>I haven't heard of any more issues with pg_hba.conf so I will mark the
>item as done.  I did cleanup the comments in the file.  I have also
>added a TODO item:
>
>    * Read pg_hba.conf only on postmaster startup or SIGHUP
>

If you do this, can you add an access table for secondary lookups?  I 
tend to update host access frequently and personally I think it'd be 
dandy to have a table that can be updated for access as well as the 
primary pg_hba.conf file.

David




Re: Improving pg_hba.conf

From
Bruce Momjian
Date:
> >
> >
> >I haven't heard of any more issues with pg_hba.conf so I will mark the
> >item as done.  I did cleanup the comments in the file.  I have also
> >added a TODO item:
> >
> >    * Read pg_hba.conf only on postmaster startup or SIGHUP
> >
> 
> If you do this, can you add an access table for secondary lookups?  I 
> tend to update host access frequently and personally I think it'd be 
> dandy to have a table that can be updated for access as well as the 
> primary pg_hba.conf file.

Sorry, I don't understand what secondary lookups are.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026
 


Re: Improving pg_hba.conf

From
David Ford
Date:
What I mean is, do host lookups first in the text file, then if a 
pg_hostaccess table (example) exists, check it for host entries.  This 
alleviates HUP or restart etc. to reload a config file.

David

Bruce Momjian wrote:

>>>
>>>I haven't heard of any more issues with pg_hba.conf so I will mark the
>>>item as done.  I did cleanup the comments in the file.  I have also
>>>added a TODO item:
>>>
>>>    * Read pg_hba.conf only on postmaster startup or SIGHUP
>>>
>>If you do this, can you add an access table for secondary lookups?  I 
>>tend to update host access frequently and personally I think it'd be 
>>dandy to have a table that can be updated for access as well as the 
>>primary pg_hba.conf file.
>>
>
>Sorry, I don't understand what secondary lookups are.
>




Re: Improving pg_hba.conf

From
Bruce Momjian
Date:
> What I mean is, do host lookups first in the text file, then if a 
> pg_hostaccess table (example) exists, check it for host entries.  This 
> alleviates HUP or restart etc. to reload a config file.

Can't do that.  Postmaster has no database access.  Must be fast.

--  Bruce Momjian                        |  http://candle.pha.pa.us pgman@candle.pha.pa.us               |  (610)
853-3000+  If your life is a hard drive,     |  830 Blythe Avenue +  Christ can be your backup.        |  Drexel Hill,
Pennsylvania19026