Re: Disable 'ident' as default auth method

Am 09.10.2019 um 05:22 schrieb Craig Ringer <craig@2ndquadrant.com>:

The PGDG RPM packages for PostgreSQL use 'ident' as the default auth method for loopback TCP connections.

This should be changed, as ident auth is not enabled on RH/Fedora systems by default. ident is insecure outside the loopback interface and should be strongly discouraged anyway.

This is the user's typical experience:

myuser$ sudo -u postgres -i

postgres$ psql -h localhost
psql: FATAL:  Ident authentication failed for user "postgres"

Using 'md5' with no default pw isn't much better:

$ sudo -i -u postgres psql -h localhost postgres

Password for user postgres:
psql: fe_sendauth: no password supplied

 

but if we can't do as Debian does and prompt for an initial pw (where interactive), at least it's consistent with how Pg is installed elsewhere.

Otherwise it could just be 'reject' so users can tell what's going on and are directed to the appropriate file:

$ sudo -i -u postgres psql -h localhost postgres

psql: FATAL:  pg_hba.conf rejects connection for host "127.0.0.1", user "postgres", database "postgres", SSL off

(It's a shame we can't easily add a "HINT: try omitting the host setting to use local unix socket connections instead" when we see conn failures on loopback, but we probably can't.)

--

 Craig Ringer                   http://www.2ndQuadrant.com/
 2ndQuadrant - PostgreSQL Solutions for the Enterprise