agora inbox for [email protected]  
help / color / mirror / Atom feed
From: Jim Nasby <[email protected]>
To: Peter Eisentraut <[email protected]>
To: Volker Aßmann <[email protected]>
To: Robert Haas <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: Disabling trust/ident authentication configure option
Date: Wed, 6 May 2015 17:32:44 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
	<CA+Tgmobjmp1gDh4eDCSDGMpBF2rPph80108hXWgT7DStcxQb9g@mail.gmail.com>
	<CAJBpAdwvUaK55HCB8FEkzt2GO5cMvwcPmNeqqZThT-=Ra-G6XA@mail.gmail.com>
	<CA+TgmoYFWGoZVCRVpgwGYSiZhY9PFkC0mrmnYy3acFJ=aU0eEw@mail.gmail.com>
	<CAJBpAdwRPX4mzDJM0yLF_gf7d1Ud3mt4MhNO_+Hoz3xBqhSvTQ@mail.gmail.com>
	<[email protected]>
List-Unsubscribe: <mailto:[email protected]?body=unsub%20pgsql-hackers>

On 5/6/15 12:56 PM, Peter Eisentraut wrote:
>> I think this is a sufficiently general requirement to warrant including
>> >an option to disable this, as most hardening guides I have seen for
>> >PostgreSQL unconditionally require to disable trust authentication and
>> >disabling it in the code removes the need to check this in the runtime
>> >configuration.
> I think people would be interested in well-thought out, generalized
> hardening facilities.  But that would likely include other things than
> just disabling an authentication method or two.  And we can't be adding
> a new compile-time option as we add each one.  We need a more general
> approach.

Yeah. I think one of the big use cases here is that many environments 
are OK with at least ident (if not trust) but only from the local 
machine. So you'd probably want to handle that somehow.
-- 
Jim Nasby, Data Architect, Blue Treble Consulting
Data in Trouble? Get it in Treble! http://BlueTreble.com


-- 
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers



view thread (62+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Disabling trust/ident authentication configure option
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox