On Wed, Oct 29, 2014 at 10:52:38AM +0800, Craig Ringer wrote: > On 10/29/2014 10:45 AM, Tom Lane wrote: > > Craig Ringer <cr...@2ndquadrant.com> writes: > >> At pgconf-eu Álvaro and I were discussing the idea of allowing 'peer' > >> and 'ident' authentication to fall back to md5 if the peer/ident check > >> failed. > > > > I think it would be acceptable to define *new* auth modes that work > > that way. I'm violently against redefining the meaning of existing > > pg_hba.conf entries like this: it's not terribly hard to imagine > > cases where it'd be a security problem, and even if you claim it isn't, > > people will get bent out of shape if they think you're poking holes > > in their oh-so-carefully-chosen authentication arrangements.
Switching from today's "peer" to the proposed method in a given installation can indeed open a security hole. If you accept peer authentication only, quality of account passwords is irrelevant. Using this mode requires setting a strong password or no password at all. > There's no point adding a usability improvement that's off by default. > > Distros can still enable it, though, and they're what I'm interested in. > Nobody uses PostgreSQL's initdb default for pg_hba.conf ('trust') anyway. Switching away from "trust" has been a safe call for distributions, because every other method is strictly less permissive. "md5_or_peer" would be strictly more permissive than either "md5" or "peer", so a distribution switching to the new mode would be betting that the extra usability makes up for folks overlooking the change and getting a security hole. (I think the care needed to vet a switch from md5 to md5+peer is less than that needed to vet a switch from peer to md5+peer.) > I don't care in the slightest how it's spelled; these: > > peer > peer with_md5_fallback > peer md5_fallback=on > peer_or_md5 Think about making this an option of the "peer" method that allows trying subsequent pg_hba.conf lines when "peer" fails. Call it something like "continue" or "sufficient". pg_hba.conf would have: local all all peer continue local all all md5 This lets you pair peer authentication with methods other than md5. Thanks, nm -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers