Re: Allow peer/ident to fall back to md5?

Поиск
Список
Период
Сортировка
От Noah Misch
Тема Re: Allow peer/ident to fall back to md5?
Дата
Msg-id 20141029063949.GA400178@tornado.leadboat.com
обсуждение исходный текст
Ответ на Re: Allow peer/ident to fall back to md5?  (Craig Ringer <craig@2ndquadrant.com>)
Ответы Re: Allow peer/ident to fall back to md5?
Список pgsql-hackers
Дерево обсуждения 
On Wed, Oct 29, 2014 at 10:52:38AM +0800, Craig Ringer wrote:
> On 10/29/2014 10:45 AM, Tom Lane wrote:
> > Craig Ringer <craig@2ndquadrant.com> writes:
> >> At pgconf-eu Álvaro and I were discussing the idea of allowing 'peer'
> >> and 'ident' authentication to fall back to md5 if the peer/ident check
> >> failed.
> > 
> > I think it would be acceptable to define *new* auth modes that work
> > that way.  I'm violently against redefining the meaning of existing
> > pg_hba.conf entries like this: it's not terribly hard to imagine
> > cases where it'd be a security problem, and even if you claim it isn't,
> > people will get bent out of shape if they think you're poking holes
> > in their oh-so-carefully-chosen authentication arrangements.

Switching from today's "peer" to the proposed method in a given installation
can indeed open a security hole.  If you accept peer authentication only,
quality of account passwords is irrelevant.  Using this mode requires setting
a strong password or no password at all.

> There's no point adding a usability improvement that's off by default.
> 
> Distros can still enable it, though, and they're what I'm interested in.
> Nobody uses PostgreSQL's initdb default for pg_hba.conf ('trust') anyway.

Switching away from "trust" has been a safe call for distributions, because
every other method is strictly less permissive.  "md5_or_peer" would be
strictly more permissive than either "md5" or "peer", so a distribution
switching to the new mode would be betting that the extra usability makes up
for folks overlooking the change and getting a security hole.  (I think the
care needed to vet a switch from md5 to md5+peer is less than that needed to
vet a switch from peer to md5+peer.)

> I don't care in the slightest how it's spelled; these:
> 
>    peer
>    peer with_md5_fallback
>    peer md5_fallback=on
>    peer_or_md5

Think about making this an option of the "peer" method that allows trying
subsequent pg_hba.conf lines when "peer" fails.  Call it something like
"continue" or "sufficient".  pg_hba.conf would have:

local all all peer continue
local all all md5

This lets you pair peer authentication with methods other than md5.

Thanks,
nm

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Amit Kapila
Дата:
Сообщение: Re: TODO : Allow parallel cores to be used by vacuumdb [ WIP ]
Следующее
От: Heikki Linnakangas
Дата:
Сообщение: Re: WAL format and API changes (9.5)