Обсуждение: Security question UNIX Sockets vs CIDR style access
Hi All;
I'm looking for thoughts/feedback on the use of UNIX Sockets vs standard CIDR style access (i,e, Ident, MD5, etc) to a Postgres Cluster. What are the pros/cons, which is more secure and why, etc...
Thanks in advance
Hi Kevin, Kevin Kempter wrote: > Hi All; > > > I'm looking for thoughts/feedback on the use of UNIX Sockets vs > standard CIDR style access (i,e, Ident, MD5, etc) to a Postgres > Cluster. What are the pros/cons, which is more secure and why, etc... I think you're confusing the here. CIDR refers to a method of addressing network IP ranges (or a single host which could be argued is a network range of 1 address.) See http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing. Ident and MD5 refer to authentication methods that PostgreSQL supports, and these methods of authentication can also be applied to a UNIX socket. If you're asking whether a UNIX socket is preferable to a TCP/IP connection (i.e. over a network interface) then a Unix socket is more secure because it only allows the local machine to access it. Of course a user account on the server could be hacked to gain access to the server, so it isn't 100% secured to the local machine. With TCP/IP connections you have the added benefit of being able to restrict/allow access by IP address. If you're asking which of the authentication methods (ident, MD5 etc) is more secure then I would say that "trust" is obviously the least secure as it allows anyone in without a password (providing the pg_hba rule matches.) MD5 is more secure than "password" as the password is hashed before being sent across the network. Ident is specific to a Unix system and is only recommended for trusted networks where it's not possible for a hacker to gain access (i.e. a private network not connected to the outside world) so is insecure. The remaining options, in my opinion, are only useful if they fit your particular environment - for example, LDAP to authenticate against Active Directory etc. Regards, Andy
> I think you're confusing the here. PS. That should have been "I think you're confusing concepts here" - deleted the wrong word!
kevink@consistentstate.com (Kevin Kempter) writes: > I'm looking for thoughts/feedback on the use of UNIX Sockets vs standard CIDR style access (i,e, Ident, MD5, etc) to aPostgres Cluster. What are the > pros/cons, which is more secure and why, etc... There is no single answer, which is essentially why there is the whole array of access methods. Each has reasons to be preferable under particular circumstances, and there is a fair bit of documentation on this in the standard documentation. Please see: http://www.postgresql.org/docs/8.3/static/auth-methods.html -- let name="cbbrowne" and tld="linuxdatabases.info" in String.concat "@" [name;tld];; http://cbbrowne.com/info/sgml.html "Over a hundred years ago, the German poet Heine warned the French not to underestimate the power of ideas: philosophical concepts nurtured in the stillness of a professor's study could destroy a civilization." --Isaiah Berlin in /The Power of Ideas/