Disable 'ident' as default auth method

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Disable 'ident' as default auth method

Craig Ringer-3
The PGDG RPM packages for PostgreSQL use 'ident' as the default auth method for loopback TCP connections.

This should be changed, as ident auth is not enabled on RH/Fedora systems by default. ident is insecure outside the loopback interface and should be strongly discouraged anyway.

This is the user's typical experience:

myuser$ sudo -u postgres -i
postgres$ psql -h localhost
psql: FATAL:  Ident authentication failed for user "postgres"

Using 'md5' with no default pw isn't much better:

$ sudo -i -u postgres psql -h localhost postgres
Password for user postgres:
psql: fe_sendauth: no password supplied
 
but if we can't do as Debian does and prompt for an initial pw (where interactive), at least it's consistent with how Pg is installed elsewhere.

Otherwise it could just be 'reject' so users can tell what's going on and are directed to the appropriate file:

$ sudo -i -u postgres psql -h localhost postgres
psql: FATAL:  pg_hba.conf rejects connection for host "127.0.0.1", user "postgres", database "postgres", SSL off

(It's a shame we can't easily add a "HINT: try omitting the host setting to use local unix socket connections instead" when we see conn failures on loopback, but we probably can't.)


--
 Craig Ringer                   http://www.2ndQuadrant.com/
 2ndQuadrant - PostgreSQL Solutions for the Enterprise
Reply | Threaded
Open this post in threaded view
|

Re: Disable 'ident' as default auth method

Markus Bräunig
Hi,

we use peer authentication for local connections.

local all postgres peer

By doing so you can just use #>psql as postgres-User (or using sudo -u postgres -i psql).
Could be a valid default.

Regards
Markus

Am 09.10.2019 um 05:22 schrieb Craig Ringer <[hidden email]>:

The PGDG RPM packages for PostgreSQL use 'ident' as the default auth method for loopback TCP connections.

This should be changed, as ident auth is not enabled on RH/Fedora systems by default. ident is insecure outside the loopback interface and should be strongly discouraged anyway.

This is the user's typical experience:

myuser$ sudo -u postgres -i
postgres$ psql -h localhost
psql: FATAL:  Ident authentication failed for user "postgres"

Using 'md5' with no default pw isn't much better:

$ sudo -i -u postgres psql -h localhost postgres
Password for user postgres:
psql: fe_sendauth: no password supplied
 
but if we can't do as Debian does and prompt for an initial pw (where interactive), at least it's consistent with how Pg is installed elsewhere.

Otherwise it could just be 'reject' so users can tell what's going on and are directed to the appropriate file:

$ sudo -i -u postgres psql -h localhost postgres
psql: FATAL:  pg_hba.conf rejects connection for host "127.0.0.1", user "postgres", database "postgres", SSL off

(It's a shame we can't easily add a "HINT: try omitting the host setting to use local unix socket connections instead" when we see conn failures on loopback, but we probably can't.)


--
 Craig Ringer                   http://www.2ndQuadrant.com/
 2ndQuadrant - PostgreSQL Solutions for the Enterprise

Reply | Threaded
Open this post in threaded view
|

Re: Disable 'ident' as default auth method

Craig Ringer-3
On Wed, 9 Oct 2019 at 12:36, Markus Bräunig <[hidden email]> wrote:
Hi,

we use peer authentication for local connections.

local all postgres peer

By doing so you can just use #>psql as postgres-User (or using sudo -u postgres -i psql).
Could be a valid default.

Yes. I'm aware of that and think it's the sensible default for 'local' connections.

I'm talking about 'host' connections for 127.0.0.1 and ::1 . The current default for that is nonsensical IMO.
Reply | Threaded
Open this post in threaded view
|

Re: Disable 'ident' as default auth method

Markus Bräunig
Hi,

OK you are talking about host connections.

ident maps to peer for local connections, so for these I would suggest implementing local directly.

For host connections I like the idea of reject. If I remember correctly the listen_addresses must be configured anyway (for remote access).

Regards
Markus

Am 09.10.2019 um 06:40 schrieb Craig Ringer <[hidden email]>:

On Wed, 9 Oct 2019 at 12:36, Markus Bräunig <[hidden email]> wrote:
Hi,

we use peer authentication for local connections.

local all postgres peer

By doing so you can just use #>psql as postgres-User (or using sudo -u postgres -i psql).
Could be a valid default.

Yes. I'm aware of that and think it's the sensible default for 'local' connections.

I'm talking about 'host' connections for 127.0.0.1 and ::1 . The current default for that is nonsensical IMO.

Reply | Threaded
Open this post in threaded view
|

Re: Disable 'ident' as default auth method

Christoph Berg-2
In reply to this post by Craig Ringer-3
Re: Craig Ringer 2019-10-09 <CAMsr+YE+K65nHdP-i82F=vKHZvLU+woT-WUkA0arPZwv=[hidden email]>
> but if we can't do as Debian does and prompt for an initial pw (where
> interactive), at least it's consistent with how Pg is installed elsewhere.

Fwiw, the Debian packages do not ask for an initial password but leave
it to the user to an initial `sudo -u postgres psql`.

The defaults in pg_createcluster are --auth-local peer --auth-host md5.

(Some day I'll finally have a look at scram-sha-256.)

Christoph