Re: Postgres Pain Points: 1 pg_hba conf

On 8/16/2016 1:32 PM, support-tiger wrote:
>    local    all             all                     trust

so all unix 'domain' connections will allow any process on the system to
authenticate as any SQL user.    I nearly always use peer here.   my
applications which want to connect as a different db user than their os
user, I specify host=localhost so it uses below instead...

>    host     all             all       127.0.0.1/32  trust

anyone coming in via ipv4 localhost can also authenticate as any SQL
user.  I always use md5 here, so apps connecting with host=localhost can
specify a sql user, with a password.

>    host     all             all       ::1/128       ident

anyone coming in as ipv6 localhost will require authd/identd protocol to
identify them... ugh, hardly noone runs authd anymore, its considered
bad security practice.  its also inconsistent with ipv4 localhost above,
so if you -h localhost, you're not sure what you're getting... I would
always use md5 here.



--
john r pierce, recycling bits in santa cruz