Andres Freund wrote:
> On 2015-05-20 15:42:23 -0400, Stephen Frost wrote:
> > > So the first thing to establish is "other than Volker himself, who are
> > > we helping here?"
> >
> > I don't agree with this either. Providing a "bypass all authentication"
> > configuration option really isn't a good thing. Why don't packagers use
> > our default pg_hba.conf? Because it only makes sense in a development
> > type of environment. I'd argue the same is true for 'trust'.
>
> Uh. So if the shit hit the fan because you mismanaged a password
> rollover, kereberos is down, or something like that, and you can't
> access postgres anymore you want to recompile?
Yeah, it's pretty messy. I thought about providing the feature without
involving configure: say have a file listing allowed auth methods; in
Volker's case it's easy to ship packages were trust/peer are removed in
the file. If you're in deep trouble just enable trust there and fix it.
But this has the exact problem we started with: the lazy admin will just
enable it "momentarily" to get the thing running and forget to turn it
off later.
I was thinking that another use for this would be cases where an auth
method is found to be insecure and you want to disable it completely
(say Kerberos is cracked irreparably or whatever). But the real
solution to that problem is to remove it from pg_hba.conf. In the end,
it seems there is no actual hole being solved here that cannot be
better attacked by other means.
--
Álvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services