On Thu, Aug 11, 2016 at 11:04:37AM -0600, support-tiger wrote:
> #1) pg_hba conf
> Out of the box the md5 setting blocks access. Most "advice" say change to
> "all all trust" and indeed that works. But that seems a big security issue.
> Specifying a postgres role, password, and peer does not seem to work. And
> this approach is problematic if there are many roles or even dynamically
> created roles.
>
> Or is pb_hba conf set up for web sockets and we should be using sockets?
>
> For general use, it seems we should not have to modify this file - it should
> "just work" with good security.
While I agree this sounds desirable I don't think it is
possible (depending on the definition of "possible").
Would you like to offer a suggestion as to what pg_hba.conf
should be configured as by default ? (Note that I am not
soliciting a suggestion on behalf of the PostgreSQL team.)
Methinks "deny-by-default" is Good Practice security-wise ?
Regards,
Karsten
--
GPG key ID E4071346 @ eu.pool.sks-keyservers.net
E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346