Heath Johns <public@elesi.org> writes:
> First off, thank you for your reply. I have an additional problem
> however. I have many stunnels (ssh like tcp tunnels) coming into this
> box that communicate with pgsql, all of which I need to password
> authenticate. They obviously only work on tcp sockets. If I were to
> ident them, it would surely come back with the owner of the stunnel.
> Also, these tunnels map an external port to localhost, so I cannot do
> host based authentication.
Okay, that is a little bit messy.
> I would be more than happy if the situation were reversed, with unix
> users not requiring a password, and all tcp connections being password
> authenticated (which would seem to me the more logical arangement).
> Unfortunately, there appears to be no way to do this.
Um, the users coming in through stunnels must reach the postmaster via
TCP, no? Or are they first logging into local shells and then running
psql locally? If they do use TCP connections then it seems like
local all trust
host all 127.0.0.1 255.255.255.255 password
will do what you just said. The local users just have to be careful
not to set PGHOST ...
regards, tom lane