Andres,
* Andres Freund (andres@anarazel.de) wrote:
> On 2015-05-20 15:42:23 -0400, Stephen Frost wrote:
> > > So the first thing to establish is "other than Volker himself, who are
> > > we helping here?"
> >
> > I don't agree with this either. Providing a "bypass all authentication"
> > configuration option really isn't a good thing. Why don't packagers use
> > our default pg_hba.conf? Because it only makes sense in a development
> > type of environment. I'd argue the same is true for 'trust'.
>
> Uh. So if the shit hit the fan because you mismanaged a password
> rollover, kereberos is down, or something like that, and you can't
> access postgres anymore you want to recompile? And no peer isn't an
> answer isn't an answer, it's not available on windows. Your only way out
> is going to be single user mode. But wait, that's a security hole too.
Apologies for not being clearer. I agree that we need an alternative
for addressing this use-case before we can consider getting rid of
'trust' or not having it built into the binaries which are distributed.
In other words, I agree with you that we can't simply get rid of 'trust'
without having another solution. I *do* believe that a real single-user
mode that is only available to the owner of the cluster would go a long
way towards this goal. If 'trust' was only able to be used by the owner
of the database, I'd have much less of an issue with it.
> I find the arguments presented in this thread for a configure option
> entirely unconvincing. If you'd argued for a saner default
> authentication setup: I'd be on board with that. But this seems just a
> pointless exercise in making things more complicated.
Thankfully, the packagers have already addressed the insecure default
that the source build provides for pg_hba.conf and so we don't need to
worry about it (except perhaps for new distributions or new packagers,
but I hope they'll usually look at the existing packages and not just
distribute what we provide as the default pg_hba.conf).
Thanks!
Stephen