Thread: postgres authentication question
By default my installation via Debian set the user postgres to authenticate as a local, ident sameuser. This is convenient for someone with a local account. I'm putting a postgresql installation into my DMZ and want to make sure I have an understanding of what makes sense and what does not in terms of security. I would like to change the postgres user to authenticate by md5 only, no ident sameuser option. I might still keep the authentication as local only. But when I do this, at start up I get a number of minor errors in my logs about the user postgres can't authenticate. How do I fix this securely? -or- How do I safely disable this? -or- Is this a non-problem and should be ignored?
Tom Allison <tallison@tacocat.net> writes: > I would like to change the postgres user to authenticate by md5 only, > no ident sameuser option. I might still keep the authentication as > local only. But when I do this, at start up I get a number of minor > errors in my logs about the user postgres can't authenticate. That's from pg_ctl trying to check whether the postmaster is up yet. You could remove the -w option from "pg_ctl start", or you could create a ~/.pgpass file for pg_ctl to use. The latter might be a win anyway for ease of interactive use. See http://www.postgresql.org/docs/8.1/static/libpq-pgpass.html regards, tom lane
On Nov 18, 2006, at 8:36 AM, Tom Allison wrote: > I'm putting a postgresql installation into my DMZ and want to make > sure I have an understanding of what makes sense and what does not > in terms of security. IF you're only using ident with ident servers you can trust (ie: localhost), then I can't think of any security issue with using it. For someone to spoof ident credentials on localhost you either have to allow them to do it (some identd's support that, but most I've seen turn it off by default), or they'd have to compromise your identd. And if they can compromise your identd on the database server, you're pretty much hosed anyway. -- Jim Nasby jim@nasby.net EnterpriseDB http://enterprisedb.com 512.569.9461 (cell)