Thread: ident auth vs. encrypting ident daemons
Currently, the Red Hat and (I believe) PGDG RPMs set up ident
authentication as the default, by running initdb with--auth='ident sameuser'
I think several other binary distros do the same. It was pointed out to
me recently that this does not work real well anymore on Fedora. It's
fine on Unix-socket connections but fails entirely on localhost TCP,
because (1) the TCP ident daemon isn't started by default (even assuming
you installed it), and (2) if it is running, the default arguments for
it include "-E" which causes it to return an encrypted version of the
username. So authentication will always fail.
In the modern net it's kind of hard to tell people to run identd servers
without -E, so I'm thinking that this default is becoming more and more
useless. IMHO there are a couple of things we ought to do about it:
* initdb has to abandon the one-size-fits-all approach to auth methods;
we need to be able to specify different auth methods for unix-socket and
TCP. (Of course, the RPMs could just hack in the right thing with sed,
but then why are we bothering to support an --auth argument at all?)
* I'm inclined to make the Red Hat RPMs default to ident on socket and
md5 on localhost ... any comments about that?
* We ought to think about ways to cope with encrypted ident daemons.
Assuming that a given daemon always reports the same encrypted string
for a given username, ISTM it ought to be possible for a DBA to set up
an ident mapping file that would allow ident-encrypted authentication to
work. You'd likely need a separate mapping file per client host because
the encryption keys would be different, but it'd beat not having ident
support at all. We'd need to add documentation explaining how to do
this, and I think we should also tweak the logging of failed ident-auth
connections. All we have at the moment is
ereport(DEBUG2, (errmsg("Ident protocol identifies remote user as \"%s\"",
ident_user)));
which is pretty inadequate because it doesn't mention either the PG user
name or the remote machine's address. I'd like to put out a LOG-level
message mentioning all three anytime TCP ident authentication fails,
so that the postmaster log provides the info needed to set up a mapping
file. Can anyone see any reasons not to do that?
regards, tom lane
Le jeudi 15 juin 2006 22:29, Tom Lane a écrit : > Currently, the Red Hat and (I believe) PGDG RPMs set up ident > authentication as the default, by running initdb with > --auth='ident sameuser' > I think several other binary distros do the same. Just to notice Mandriva still provide postgresql setup by default with a trust authentication and only local connections are allow. In fact the initdb is run at first 'service postgresql start', we assume the sys admin will setup it. But If you (postgresql team) have any other preference (this can help for new user to have the software setup like all documentation said), just warn me, I have no problem for such change (I am the maintainer of postgresql for mandriva, so I have the control for this). > It was pointed out to > me recently that this does not work real well anymore on Fedora. It's > fine on Unix-socket connections but fails entirely on localhost TCP, > because (1) the TCP ident daemon isn't started by default (even assuming > you installed it), and (2) if it is running, the default arguments for > it include "-E" which causes it to return an encrypted version of the > username. So authentication will always fail. ident is a really old protocol, it is nice to avoid to user to enter their password for locales connections, but it is completly untrusted from a remote computer. Most of admin will simply said you running identd is only a way to have security issues, and it is often filtered, hopefully nobody filter it loopback interface :) > * I'm inclined to make the Red Hat RPMs default to ident on socket and > md5 on localhost ... any comments about that? > Nothing really except I agree (as user and as packager), and again, if you have a preference about the default method distribution should provide, just said, I'll done it for mandriva in my case.
Tom Lane wrote: >* I'm inclined to make the Red Hat RPMs default to ident on socket and >md5 on localhost ... any comments about that? > > > > I typically use something like this on RH platforms and friends for the system db cluster: local all postgres ident sameuser local all all md5 host all all 127.0.0.1/32 md5 Not using ident on tcp connections would be a good thing. I think an extra initdb switch is probably warranted. cheers andrew