Justin Hawkins <justin@internode.com.au> writes:
> I'm putting together a system to monitor multiple postgresql
> installations and to gain full access to all remote statistics I'd like
> to connect as the super user.
> To do that I'd add a single IP entry in pg_hba.conf for the monitoring
> machine and give the superuser a password.
> The things I know I want to keep in mind:
> o Ensure I only allow user pgsql access from that one IP
> o Ensure I'm not passing the password or hash in cleartext over the
> general internet
> o (Alternatively, use SSL for all superuser connections)
I'd recommend enforcing SSL connections (see "hostssl"). If you are
pulling stats, there could be plenty of sensitive info passing over that
connection, eg the details of other people's queries. The password is
far from the only thing you want to protect.
> o Keep local 'trust' access for 'all' so I can continue to use tools
> like pg_dump locally without passwords
That is an orthogonal issue. However, have you thought about local IDENT?
Or for that matter, ~/.pgpass files work fine.
regards, tom lane