On Fri, Dec 16, 2005 at 02:09:52PM -0500, Madison Kelly wrote:
> May I ask then? What *is* considered "best practices" for securing a
> database in PostgreSQL? Assuming I leave the 'pg_hba.conf' file at it's
> default values, is there any real point to having a password on a
> postgresql user account? I've been reading the docs but I guess I am
> overthinking the problem or missing something obvious. :p
If someone can login without being asked for a password, that generally
means the system is setup not to ask. I'm not sure what you mean by
"default" configuration, since you are probably using the one installed
by your distro.
It's very hard to see what the problem is unless you post your full
pg_hba.conf and the actual command-lines you used, including which UNIX
user you used. The two lines you gave would allow the postgres UNIX
user to login to any database as himself without a password, and allow
foo into bar with md5 authentication. If you are seeing something else
you should be explicit how you're logging in.
Have a nice day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.