Re: Disabling trust/ident authentication configure option

* Josh Berkus (josh@agliodbs.com) wrote:
> On 05/06/2015 02:13 PM, Tom Lane wrote:
> > Andrew Dunstan <andrew@dunslane.net> writes:
> >> (Personally I think there's a very good case for completely ripping out
> >> RFC1413 ident auth. I've not seen it used in a great long while, and
> >> it's always been a security risk.)
> >
> > FWIW, I agree with that --- or at least making it a not-built-by-default
> > option.
>
> I have seen it in the last year, actually, but only once, which even for
> my personal pool represents < 1% usage.  So ...
>
> > Probably the right time to make any such changes is at the same time
> > we add the proposed more-secure-than-MD5 password option.
>
> +1 to kill off ident when we replace MD5, since users will need to be
> beaten over the head about changes to auth methods anyway.

I realize it's not going to be popular, but I'd love to have 'trust'
only allowed if a command-line option is passed to the postmaster or
something along those lines.  It's really got no business being an
option for a network service like PG.  I'd suggest ripping it out
entirely but I'm sure that'd be even less popular and Andrew does make a
good point that our single-user-mode is still so terrible that we have
to support a multi-user-mode with zero auth, to deal with certain kinds
of breakage/corruption.  The fix for that is having a real single-user
mode that is usable, as has been discussed previously, but we don't seem
to be making much progress in that direction, unfortunately.
Thanks!
    Stephen