Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.80) (envelope-from ) id 1Yq7sE-0003v4-Pg for pgsql-hackers@arkaria.postgresql.org; Wed, 06 May 2015 22:33:02 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.80) (envelope-from ) id 1Yq7sD-0000sJ-Qw for pgsql-hackers@arkaria.postgresql.org; Wed, 06 May 2015 22:33:01 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1Yq7sB-0000sA-MO for pgsql-hackers@postgresql.org; Wed, 06 May 2015 22:32:59 +0000 Received: from mail-by2on0069.outbound.protection.outlook.com ([207.46.100.69] helo=na01-by2-obe.outbound.protection.outlook.com) by magus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84) (envelope-from ) id 1Yq7s6-0003zo-DU for pgsql-hackers@postgresql.org; Wed, 06 May 2015 22:32:58 +0000 Authentication-Results: postgresql.org; dkim=none (message not signed) header.d=none; Received: from decina.local (70.113.16.71) by CY1PR11MB0683.namprd11.prod.outlook.com (25.163.236.21) with Microsoft SMTP Server (TLS) id 15.1.154.19; Wed, 6 May 2015 22:32:48 +0000 Message-ID: <554A968C.9030309@BlueTreble.com> Date: Wed, 6 May 2015 17:32:44 -0500 From: Jim Nasby User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Peter Eisentraut , =?UTF-8?B?Vm9sa2VyIEHDn21hbm4=?= , Robert Haas CC: "pgsql-hackers@postgresql.org" Subject: Re: Disabling trust/ident authentication configure option References: <554A55CA.5000705@gmx.net> In-Reply-To: <554A55CA.5000705@gmx.net> Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [70.113.16.71] X-ClientProxiedBy: SN1PR07CA0030.namprd07.prod.outlook.com (25.162.170.168) To CY1PR11MB0683.namprd11.prod.outlook.com (25.163.236.21) X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR11MB0683; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:CY1PR11MB0683; BCL:0; PCL:0; RULEID:; SRVR:CY1PR11MB0683; X-Forefront-PRVS: 0568F32D91 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(6009001)(24454002)(479174004)(377454003)(42186005)(23676002)(46102003)(66066001)(47776003)(65806001)(65956001)(59896002)(189998001)(36756003)(2950100001)(86362001)(92566002)(50466002)(4001350100001)(5001770100001)(62966003)(77156002)(122386002)(5001920100001)(5001960100002)(76176999)(50986999)(87976001)(15975445007)(65816999)(54356999)(83506001)(19580395003)(93886004)(80316001)(40100003)(33656002)(85282002)(18886065003); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR11MB0683; H:decina.local; FPR:; SPF:None; MLV:sfv; LANG:en; X-OriginatorOrg: bluetreble.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 May 2015 22:32:48.9056 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR11MB0683 X-Pg-Spam-Score: -1.9 (-) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgsql-hackers Precedence: bulk Sender: pgsql-hackers-owner@postgresql.org On 5/6/15 12:56 PM, Peter Eisentraut wrote: >> I think this is a sufficiently general requirement to warrant including >> >an option to disable this, as most hardening guides I have seen for >> >PostgreSQL unconditionally require to disable trust authentication and >> >disabling it in the code removes the need to check this in the runtime >> >configuration. > I think people would be interested in well-thought out, generalized > hardening facilities. But that would likely include other things than > just disabling an authentication method or two. And we can't be adding > a new compile-time option as we add each one. We need a more general > approach. Yeah. I think one of the big use cases here is that many environments are OK with at least ident (if not trust) but only from the local machine. So you'd probably want to handle that somehow. -- Jim Nasby, Data Architect, Blue Treble Consulting Data in Trouble? Get it in Treble! http://BlueTreble.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers