> Richard Huxton <dev@archonet.com> writes:
> > "Thomas T. Veldhouse" wrote:
> >> Why does it ask 4 times?
>
> > createlang is just a script - it basically runs "/path/to/psql $QUERY" -
> > each query connects a separate time.
>
> Note that running a setup that requires password auth for the DBA will
> also be a major pain in the rear when running pg_dumpall: one password
> prompt per database, IIRC. We have other scripts that make more than
> one database connection, too.
>
> I'd counsel using a setup that avoids passwords for local connections.
> One way to do this is to run an ident daemon and use IDENT authorization
> for connections from 127.0.0.1. This allows "psql -h localhost" to work
> without a password. (IDENT authorization is quite properly discouraged
> for remote connections, but it's trustworthy enough on your own machine,
> if you control the ident daemon or trust the person who does.)
I just applied a diff to better document the use of ident for localhost.
I think it is a good idea, and in some ways a better use of ident than
for remote machines. If I missed a spot that could be better
documented, let me know.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026
Index: doc/src/sgml/client-auth.sgml
===================================================================
RCS file: /home/projects/pgsql/cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v
retrieving revision 1.11
diff -c -r1.11 client-auth.sgml
*** doc/src/sgml/client-auth.sgml 2001/05/12 22:51:34 1.11
--- doc/src/sgml/client-auth.sgml 2001/07/11 20:27:07
***************
*** 242,248 ****
of the connecting user. <productname>Postgres</productname>
then verifies whether the so identified operating system user
is allowed to connect as the database user that is requested.
! This is only available for TCP/IP connections.
The <replaceable>authentication option</replaceable> following
the <literal>ident</> keyword specifies the name of an
<firstterm>ident map</firstterm> that specifies which operating
--- 242,251 ----
of the connecting user. <productname>Postgres</productname>
then verifies whether the so identified operating system user
is allowed to connect as the database user that is requested.
! This is only available for TCP/IP connections. It can be used
! on the local machine by specifying the localhost address 127.0.0.1.
! </para>
! <para>
The <replaceable>authentication option</replaceable> following
the <literal>ident</> keyword specifies the name of an
<firstterm>ident map</firstterm> that specifies which operating
***************
*** 553,559 ****
<attribution>RFC 1413</attribution>
<para>
The Identification Protocol is not intended as an authorization
! or access control protocol.
</para>
</blockquote>
</para>
--- 556,563 ----
<attribution>RFC 1413</attribution>
<para>
The Identification Protocol is not intended as an authorization
! or access control protocol. You must trust the machine running the
! ident server.
</para>
</blockquote>
</para>
Index: src/backend/libpq/pg_hba.conf.sample
===================================================================
RCS file: /home/projects/pgsql/cvsroot/pgsql/src/backend/libpq/pg_hba.conf.sample,v
retrieving revision 1.19
diff -c -r1.19 pg_hba.conf.sample
*** src/backend/libpq/pg_hba.conf.sample 2001/07/11 19:36:36 1.19
--- src/backend/libpq/pg_hba.conf.sample 2001/07/11 20:27:08
***************
*** 1,5 ****
#
! # PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE
#
#
# This file controls:
--- 1,5 ----
#
! # PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE
#
#
# This file controls:
***************
*** 101,109 ****
# be use only for machines where all users are truested.
#
# password: Authentication is done by matching a password supplied
! # in clear by the host. If no AUTH_ARGUMENT is used, the
! # password is compared with the user's entry in the
! # pg_shadow table.
#
# If AUTH_ARGUMENT is specified, the username is looked up
# in that file in the $PGDATA directory. If the username
--- 101,109 ----
# be use only for machines where all users are truested.
#
# password: Authentication is done by matching a password supplied
! # in clear by the host. If no AUTH_ARGUMENT is used, the
! # password is compared with the user's entry in the
! # pg_shadow table.
#
# If AUTH_ARGUMENT is specified, the username is looked up
# in that file in the $PGDATA directory. If the username
***************
*** 118,147 ****
# passwords.
#
# crypt: Same as "password", but authentication is done by
! # encrypting the password sent over the network. This is
! # always preferable to "password" except for old clients
! # that don't support "crypt". Also, crypt can use
! # usernames stored in secondary password files but not
! # secondary passwords.
! #
! # ident: Authentication is done by the ident server on the local
! # or remote host. AUTH_ARGUMENT is required and maps names
! # found in the $PGDATA/pg_ident.conf file. The connection
! # is accepted if the file contains an entry for this map
! # name with the ident-supplied username and the requested
! # PostgreSQL username. The special map name "sameuser"
! # indicates an implied map (not in pg_ident.conf) that
! # maps each ident username to the identical PostgreSQL
# username.
#
! # krb4: Kerberos V4 authentication is used.
#
! # krb5: Kerberos V5 authentication is used.
#
# reject: Reject the connection. This is used to reject certain hosts
! # that are part of a network specified later in the file.
! # To be effective, "reject" must appear before the later
! # entries.
#
# Local UNIX-domain socket connections support only the AUTH_TYPEs of
# "trust", "password", "crypt", and "reject".
--- 118,147 ----
# passwords.
#
# crypt: Same as "password", but authentication is done by
! # encrypting the password sent over the network. This is
! # always preferable to "password" except for old clients
! # that don't support "crypt". Also, crypt can use
! # usernames stored in secondary password files but not
! # secondary passwords.
! #
! # ident: Authentication is done by the ident server on the local
! # (127.0.0.1) or remote host. AUTH_ARGUMENT is required and
! # maps names found in the $PGDATA/pg_ident.conf file. The
! # connection is accepted if the file contains an entry for
! # this map name with the ident-supplied username and the
! # requested PostgreSQL username. The special map name
! # "sameuser" indicates an implied map (not in pg_ident.conf)
! # that maps each ident username to the identical PostgreSQL
# username.
#
! # krb4: Kerberos V4 authentication is used.
#
! # krb5: Kerberos V5 authentication is used.
#
# reject: Reject the connection. This is used to reject certain hosts
! # that are part of a network specified later in the file.
! # To be effective, "reject" must appear before the later
! # entries.
#
# Local UNIX-domain socket connections support only the AUTH_TYPEs of
# "trust", "password", "crypt", and "reject".
