Disable 'ident' as default auth method
| От | Craig Ringer |
|---|---|
| Тема | Disable 'ident' as default auth method |
| Дата | |
| Msg-id | CAMsr+YE+K65nHdP-i82F=vKHZvLU+woT-WUkA0arPZwv=K+YEw@mail.gmail.com обсуждение исходный текст |
| Ответы |
Re: Disable 'ident' as default auth method
Re: Disable 'ident' as default auth method |
| Список | pgsql-pkg-yum |
The PGDG RPM packages for PostgreSQL use 'ident' as the default auth method for loopback TCP connections.
psql: fe_sendauth: no password supplied
$ sudo -i -u postgres psql -h localhost postgres
--
This should be changed, as ident auth is not enabled on RH/Fedora systems by default. ident is insecure outside the loopback interface and should be strongly discouraged anyway.
This is the user's typical experience:
myuser$ sudo -u postgres -i
postgres$ psql -h localhost
psql: FATAL: Ident authentication failed for user "postgres"
psql: FATAL: Ident authentication failed for user "postgres"
Using 'md5' with no default pw isn't much better:
$ sudo -i -u postgres psql -h localhost postgres
Password for user postgres: psql: fe_sendauth: no password supplied
but if we can't do as Debian does and prompt for an initial pw (where interactive), at least it's consistent with how Pg is installed elsewhere.
Otherwise it could just be 'reject' so users can tell what's going on and are directed to the appropriate file:
$ sudo -i -u postgres psql -h localhost postgres
psql: FATAL: pg_hba.conf rejects connection for host "127.0.0.1", user "postgres", database "postgres", SSL off
(It's a shame we can't easily add a "HINT: try omitting the host setting to use local unix socket connections instead" when we see conn failures on loopback, but we probably can't.)
В списке pgsql-pkg-yum по дате отправления: