public inbox for [email protected]
help / color / mirror / Atom feedFrom: Craig Ringer <[email protected]>
To: James Cassell <[email protected]>
Cc: PostgreSQL Yum Package List <[email protected]>
Subject: Re: Can we stop defaulting to 'ident'?
Date: Fri, 20 Dec 2019 11:00:43 +0800
Message-ID: <CAMsr+YF8UkY6NC0A39zFL9UPh_QwX4KTOPkmAYgiTPo-bFDFYw@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <CAMsr+YFCuBGWh4=aM-K2LCsBEwcrqm=pphKKHEH09vHwXcspow@mail.gmail.com>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
On Fri, 20 Dec 2019 at 05:08, James Cassell <[email protected]>
wrote:
>
> I fail to see how ident over TCP is insecure when used on the localhost
> address. Can you explain? Otherwise, is there a way to make peer
> authentication work with TCP connections?
>
ident is secure (or as secure as 'peer' for unix sockets) over TCP/IP
loopback connections. But pretty much only then or on networks that you
totally control all hosts on and all access to.
To spoof ident you must be able to open a listening socket on a privileged
port on the loopback host. So you need superuser privileges or the
CAP_NET_BIND_SERVICE capability which must be explicitly granted.
I am not arguing for ident to be removed. I'm arguing for it to stop being
the default for rpm package initdb, since it's *totally useless and
nonfunctional without additional services that the rpms do not depend on*.
It actively gets in the way of users since they cannot then simply
CREATE USER foo WITH PASSWORD 'bar';
and connect. They have to go in and unf@#$ our generated pg_hba.conf too.
So if you like ident, fine. That's not a problem. You can
/usr/pgsql-12/bin/postgresql-12-setup -A ident
and nothing else changes for you. But it's a really obsolete and unhelpful
default, and it's also one that adds yet another difference vs the Debian
packages to add to user confusion.
[craig@ayaki] $ psql -h localhost
psql: error: could not connect to server: FATAL: Ident authentication
failed for user "craig"
"WOT?"
Now, we're hardly going to depend on the ident service in the packages.
It's a security policy violation in many places to even run it. So we
should change the default - probably to scram-sha-256 on pg11 and pg12, and
md5 on older releases.
The only BC implication I can see is that someone's scripts might, rather
than invoking
/usr/pgsql-12/bin/postgresql-12-setup -A md5
be doing
/usr/pgsql-12/bin/postgresql-12-setup
sed -i 's/ident/md5/g' /var/lib/pgsql/12/data/pg_hba.conf
or the like. But I don't think that's a big concern: it's an easy fix, only
affects new initdb's, and is sufficient to cover in the 'news' section +
changelog.
--
Craig Ringer http://www.2ndQuadrant.com/
2ndQuadrant - PostgreSQL Solutions for the Enterprise
view thread (54+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Can we stop defaulting to 'ident'?
In-Reply-To: <CAMsr+YF8UkY6NC0A39zFL9UPh_QwX4KTOPkmAYgiTPo-bFDFYw@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox