[GTALUG] Postgres and ident used for authentication
David Collier-Brown
davec-b at rogers.com
Thu May 14 12:32:39 UTC 2015
While it's been discussed elsewhere*, I just tripped over a decidedly
odd default in postgresql: it tries to use ident to verify that the role
I'm logging in to has the same name as my unix user account, simulating
the "peer" authentication available for unix domain sockets.
I don't see any history for this, but It make me suspicious, just as it
would if I found someone was using rsh and a .rhosts file in a world
where we have ssh with keys.
The common recommendation is to use "trust", which is even worse than
ident. At least ident comes with a conspicuous warning that "The
Identification Protocol is not intended as an authorization or access
control protocol."
Anyone know the back story? The FAQ is unhelpful, the bugs list seems
private, and Google finds lots of bad advice (;-))
--dave
[*
http://www.upfrontsystems.co.za/Members/izak/sysadman/postgresqls-confusing-authentication-configuration
http://www.depesz.com/2007/08/18/securing-your-postgresql-database/ ]
--
David Collier-Brown, | Always do right. This will gratify
System Programmer and Author | some people and astonish the rest
davecb at spamcop.net | -- Mark Twain
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20150514/83b1efb2/attachment.html>
More information about the talk
mailing list