Thread: Re: [GENERAL] Bug in createlang?

Re: [GENERAL] Bug in createlang?

From
Bruce Momjian
Date:
> Richard Huxton <dev@archonet.com> writes:
> > "Thomas T. Veldhouse" wrote:
> >> Why does it ask 4 times?
>
> > createlang is just a script - it basically runs "/path/to/psql $QUERY" -
> > each query connects a separate time.
>
> Note that running a setup that requires password auth for the DBA will
> also be a major pain in the rear when running pg_dumpall: one password
> prompt per database, IIRC.  We have other scripts that make more than
> one database connection, too.
>
> I'd counsel using a setup that avoids passwords for local connections.
> One way to do this is to run an ident daemon and use IDENT authorization
> for connections from 127.0.0.1.  This allows "psql -h localhost" to work
> without a password.  (IDENT authorization is quite properly discouraged
> for remote connections, but it's trustworthy enough on your own machine,
> if you control the ident daemon or trust the person who does.)

I just applied a diff to better document the use of ident for localhost.
I think it is a good idea, and in some ways a better use of ident than
for remote machines.  If I missed a spot that could be better
documented, let me know.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026
Index: doc/src/sgml/client-auth.sgml
===================================================================
RCS file: /home/projects/pgsql/cvsroot/pgsql/doc/src/sgml/client-auth.sgml,v
retrieving revision 1.11
diff -c -r1.11 client-auth.sgml
*** doc/src/sgml/client-auth.sgml    2001/05/12 22:51:34    1.11
--- doc/src/sgml/client-auth.sgml    2001/07/11 20:27:07
***************
*** 242,248 ****
            of the connecting user. <productname>Postgres</productname>
            then verifies whether the so identified operating system user
            is allowed to connect as the database user that is requested.
!       This is only available for TCP/IP connections.
            The <replaceable>authentication option</replaceable> following
            the <literal>ident</> keyword specifies the name of an
            <firstterm>ident map</firstterm> that specifies which operating
--- 242,251 ----
            of the connecting user. <productname>Postgres</productname>
            then verifies whether the so identified operating system user
            is allowed to connect as the database user that is requested.
!       This is only available for TCP/IP connections.  It can be used
!       on the local machine by specifying the localhost address 127.0.0.1.
!          </para>
!          <para>
            The <replaceable>authentication option</replaceable> following
            the <literal>ident</> keyword specifies the name of an
            <firstterm>ident map</firstterm> that specifies which operating
***************
*** 553,559 ****
       <attribution>RFC 1413</attribution>
       <para>
        The Identification Protocol is not intended as an authorization
!       or access control protocol.
       </para>
      </blockquote>
     </para>
--- 556,563 ----
       <attribution>RFC 1413</attribution>
       <para>
        The Identification Protocol is not intended as an authorization
!       or access control protocol.  You must trust the machine running the
!       ident server.
       </para>
      </blockquote>
     </para>
Index: src/backend/libpq/pg_hba.conf.sample
===================================================================
RCS file: /home/projects/pgsql/cvsroot/pgsql/src/backend/libpq/pg_hba.conf.sample,v
retrieving revision 1.19
diff -c -r1.19 pg_hba.conf.sample
*** src/backend/libpq/pg_hba.conf.sample    2001/07/11 19:36:36    1.19
--- src/backend/libpq/pg_hba.conf.sample    2001/07/11 20:27:08
***************
*** 1,5 ****
  #
! #                PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE
  #
  #
  # This file controls:
--- 1,5 ----
  #
! #          PostgreSQL HOST-BASED ACCESS (HBA) CONTROL FILE
  #
  #
  # This file controls:
***************
*** 101,109 ****
  #         be use only for machines where all users are truested.
  #
  #   password:    Authentication is done by matching a password supplied
! #           in clear by the host. If no AUTH_ARGUMENT is used, the
! #           password is compared with the user's entry in the
! #           pg_shadow table.
  #
  #         If AUTH_ARGUMENT is specified, the username is looked up
  #         in that file in the $PGDATA directory. If the username
--- 101,109 ----
  #         be use only for machines where all users are truested.
  #
  #   password:    Authentication is done by matching a password supplied
! #        in clear by the host. If no AUTH_ARGUMENT is used, the
! #        password is compared with the user's entry in the
! #        pg_shadow table.
  #
  #         If AUTH_ARGUMENT is specified, the username is looked up
  #         in that file in the $PGDATA directory. If the username
***************
*** 118,147 ****
  #         passwords.
  #
  #   crypt:      Same as "password", but authentication is done by
! #           encrypting the password sent over the network. This is
! #           always preferable to "password" except for old clients
! #           that don't support "crypt". Also, crypt can use
! #           usernames stored in secondary password files but not
! #           secondary passwords.
! #
! #   ident: Authentication is done by the ident server on the local
! #           or remote host. AUTH_ARGUMENT is required and maps names
! #        found in the $PGDATA/pg_ident.conf file. The connection
! #           is accepted if the file contains an entry for this map
! #           name with the ident-supplied username and the requested
! #           PostgreSQL username. The special map name "sameuser"
! #           indicates an implied map (not in pg_ident.conf) that
! #           maps each ident username to the identical PostgreSQL
  #        username.
  #
! #   krb4:       Kerberos V4 authentication is used.
  #
! #   krb5:       Kerberos V5 authentication is used.
  #
  #   reject:     Reject the connection. This is used to reject certain hosts
! #           that are part of a network specified later in the file.
! #           To be effective, "reject" must appear before the later
! #           entries.
  #
  # Local UNIX-domain socket connections support only the AUTH_TYPEs of
  # "trust", "password", "crypt", and "reject".
--- 118,147 ----
  #         passwords.
  #
  #   crypt:      Same as "password", but authentication is done by
! #        encrypting the password sent over the network. This is
! #        always preferable to "password" except for old clients
! #        that don't support "crypt". Also, crypt can use
! #        usernames stored in secondary password files but not
! #        secondary passwords.
! #
! #   ident:    Authentication is done by the ident server on the local
! #        (127.0.0.1) or remote host. AUTH_ARGUMENT is required and
! #        maps names found in the $PGDATA/pg_ident.conf file. The
! #        connection is accepted if the file contains an entry for
! #        this map name with the ident-supplied username and the
! #        requested PostgreSQL username. The special map name
! #        "sameuser" indicates an implied map (not in pg_ident.conf)
! #        that maps each ident username to the identical PostgreSQL
  #        username.
  #
! #   krb4:    Kerberos V4 authentication is used.
  #
! #   krb5:    Kerberos V5 authentication is used.
  #
  #   reject:     Reject the connection. This is used to reject certain hosts
! #        that are part of a network specified later in the file.
! #        To be effective, "reject" must appear before the later
! #        entries.
  #
  # Local UNIX-domain socket connections support only the AUTH_TYPEs of
  # "trust", "password", "crypt", and "reject".

Re: Re: [GENERAL] Bug in createlang?

From
Peter Eisentraut
Date:
Bruce Momjian writes:

> I just applied a diff to better document the use of ident for localhost.
> I think it is a good idea, and in some ways a better use of ident than
> for remote machines.  If I missed a spot that could be better
> documented, let me know.

<blockquote> means it's a quote.  What you added there is not part of the
original source.  Also, *please* make the pg_hba.conf.sample file shorter,
not longer.

--
Peter Eisentraut   peter_e@gmx.net   http://funkturm.homeip.net/~peter


Re: Re: [GENERAL] Bug in createlang?

From
Bruce Momjian
Date:
> Bruce Momjian writes:
>
> > I just applied a diff to better document the use of ident for localhost.
> > I think it is a good idea, and in some ways a better use of ident than
> > for remote machines.  If I missed a spot that could be better
> > documented, let me know.
>
> <blockquote> means it's a quote.  What you added there is not part of the

Moved out of blockquote.

> original source.  Also, *please* make the pg_hba.conf.sample file shorter,
> not longer.

I have the idea of having the postmaster load the non-comment lines from
pg_hba.conf in as a List of character strings and have the postmaster
read through the strings, reloading on sighup.  That way, we don't have
to read the file at all for each connection.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 853-3000
  +  If your life is a hard drive,     |  830 Blythe Avenue
  +  Christ can be your backup.        |  Drexel Hill, Pennsylvania 19026