Re: Using both ident and password in pg_hba.conf

Поиск
Список
Период
Сортировка
От D'Arcy J.M. Cain
Тема Re: Using both ident and password in pg_hba.conf
Дата
Msg-id 20160509224353.6b3de40e@imp
обсуждение исходный текст
Ответ на Re: Using both ident and password in pg_hba.conf  (Scott Mead <scottm@openscg.com>)
Ответы Re: Using both ident and password in pg_hba.conf  (Bruno Wolff III <bruno@wolff.to>)
Список pgsql-general
Дерево обсуждения 
On Mon, 9 May 2016 17:50:52 -0400
Scott Mead <scottm@openscg.com> wrote:
> > was thinking of something like this:
> >
> > host    all       joe@nobody  192.168.151.75/32       password
> > host    all       all         192.168.151.75/32       ident
> >
> > The "all@nobody" field is meant to specify that the remote user is
> > nobody but that they are connecting as user joe.  You would be able
> > to use "all" as well.  You don't even need to do an ident check
> > unless the auth method is "trust" which would be silly anyway.  In
> > fact "password" is the only method that even makes any sense at all.
>
> So, at a high-level, you want:
>
> - Users deploying php scripts in apache to require a password ( btw
> -- use md5, not password)

I was using "password" in the generic sense.

> - Users running php scripts from their shell accounts to connect with
> no password to the database
>
>   Is that correct?

Absolutely not.  I am allowing ident authentication for users because I
trust the client machine but require password (md5, whatever) when they
want to connect to their database but I can't confirm who they are.

>   Why not just require that everyone use an (again: *md5*) to
> connect?  It would be significantly more secure.  Is their a
> requirement that shell account users be able to connect without
> providing a password?

They aren't actually shell account users.  I have a shell machine too
but this is from the web server.  If I require passwords then they have
to store them in their scripts.  The scripts can be secured from other
users but not admins and since we don't otherwise know their raw
passwords I wouldn't like to expose them, even to us.

Of course PHP scripts have to run as nobody so I have no choice other
than to have them store passwords in various config.php files but PHP
users are used to that.  I would like to fix that but that's a war for
another day.

--
D'Arcy J.M. Cain <darcy@druid.net>         |  Democracy is three wolves
http://www.druid.net/darcy/                |  and a sheep voting on
+1 416 788 2246     (DoD#0082)    (eNTP)   |  what's for dinner.
IM: darcy@Vex.Net, VoIP: sip:darcy@druid.net

В списке pgsql-general по дате отправления:

Предыдущее
От: rverghese
Дата:
Сообщение: Inserting into a master table with partitions does not return rows affected.
Следующее
От: "D'Arcy J.M. Cain"
Дата:
Сообщение: Re: Using both ident and password in pg_hba.conf