Обсуждение: Disable 'ident' as default auth method

Поиск
Список
Период
Сортировка

Disable 'ident' as default auth method

От
Craig Ringer
Дата:
The PGDG RPM packages for PostgreSQL use 'ident' as the default auth method for loopback TCP connections.

This should be changed, as ident auth is not enabled on RH/Fedora systems by default. ident is insecure outside the loopback interface and should be strongly discouraged anyway.

This is the user's typical experience:

myuser$ sudo -u postgres -i
postgres$ psql -h localhost
psql: FATAL:  Ident authentication failed for user "postgres"

Using 'md5' with no default pw isn't much better:

$ sudo -i -u postgres psql -h localhost postgres
Password for user postgres:
psql: fe_sendauth: no password supplied
 
but if we can't do as Debian does and prompt for an initial pw (where interactive), at least it's consistent with how Pg is installed elsewhere.

Otherwise it could just be 'reject' so users can tell what's going on and are directed to the appropriate file:

$ sudo -i -u postgres psql -h localhost postgres
psql: FATAL:  pg_hba.conf rejects connection for host "127.0.0.1", user "postgres", database "postgres", SSL off

(It's a shame we can't easily add a "HINT: try omitting the host setting to use local unix socket connections instead" when we see conn failures on loopback, but we probably can't.)


--
 Craig Ringer                   http://www.2ndQuadrant.com/
 2ndQuadrant - PostgreSQL Solutions for the Enterprise

Re: Disable 'ident' as default auth method

От
Markus Bräunig
Дата:
Hi,

we use peer authentication for local connections.

local all postgres peer

By doing so you can just use #>psql as postgres-User (or using sudo -u postgres -i psql).
Could be a valid default.

Regards
Markus

Am 09.10.2019 um 05:22 schrieb Craig Ringer <craig@2ndquadrant.com>:

The PGDG RPM packages for PostgreSQL use 'ident' as the default auth method for loopback TCP connections.

This should be changed, as ident auth is not enabled on RH/Fedora systems by default. ident is insecure outside the loopback interface and should be strongly discouraged anyway.

This is the user's typical experience:

myuser$ sudo -u postgres -i
postgres$ psql -h localhost
psql: FATAL:  Ident authentication failed for user "postgres"

Using 'md5' with no default pw isn't much better:

$ sudo -i -u postgres psql -h localhost postgres
Password for user postgres:
psql: fe_sendauth: no password supplied
 
but if we can't do as Debian does and prompt for an initial pw (where interactive), at least it's consistent with how Pg is installed elsewhere.

Otherwise it could just be 'reject' so users can tell what's going on and are directed to the appropriate file:

$ sudo -i -u postgres psql -h localhost postgres
psql: FATAL:  pg_hba.conf rejects connection for host "127.0.0.1", user "postgres", database "postgres", SSL off

(It's a shame we can't easily add a "HINT: try omitting the host setting to use local unix socket connections instead" when we see conn failures on loopback, but we probably can't.)


--
 Craig Ringer                   http://www.2ndQuadrant.com/
 2ndQuadrant - PostgreSQL Solutions for the Enterprise

Re: Disable 'ident' as default auth method

От
Craig Ringer
Дата:
On Wed, 9 Oct 2019 at 12:36, Markus Bräunig <markus@braeunig.biz> wrote:
Hi,

we use peer authentication for local connections.

local all postgres peer

By doing so you can just use #>psql as postgres-User (or using sudo -u postgres -i psql).
Could be a valid default.

Yes. I'm aware of that and think it's the sensible default for 'local' connections.

I'm talking about 'host' connections for 127.0.0.1 and ::1 . The current default for that is nonsensical IMO.

Re: Disable 'ident' as default auth method

От
Markus Bräunig
Дата:
Hi,

OK you are talking about host connections.

ident maps to peer for local connections, so for these I would suggest implementing local directly.

For host connections I like the idea of reject. If I remember correctly the listen_addresses must be configured anyway (for remote access).

Regards
Markus

Am 09.10.2019 um 06:40 schrieb Craig Ringer <craig@2ndquadrant.com>:

On Wed, 9 Oct 2019 at 12:36, Markus Bräunig <markus@braeunig.biz> wrote:
Hi,

we use peer authentication for local connections.

local all postgres peer

By doing so you can just use #>psql as postgres-User (or using sudo -u postgres -i psql).
Could be a valid default.

Yes. I'm aware of that and think it's the sensible default for 'local' connections.

I'm talking about 'host' connections for 127.0.0.1 and ::1 . The current default for that is nonsensical IMO.

Re: Disable 'ident' as default auth method

От
Christoph Berg
Дата:
Re: Craig Ringer 2019-10-09 <CAMsr+YE+K65nHdP-i82F=vKHZvLU+woT-WUkA0arPZwv=K+YEw@mail.gmail.com>
> but if we can't do as Debian does and prompt for an initial pw (where
> interactive), at least it's consistent with how Pg is installed elsewhere.

Fwiw, the Debian packages do not ask for an initial password but leave
it to the user to an initial `sudo -u postgres psql`.

The defaults in pg_createcluster are --auth-local peer --auth-host md5.

(Some day I'll finally have a look at scram-sha-256.)

Christoph