On Mon, Mar 14, 2011 at 16:26, Magnus Hagander mag...@hagander.net wrote:
On Mon, Mar 14, 2011 at 16:17, Tom Lane t...@sss.pgh.pa.us wrote:
Magnus Hagander mag...@hagander.net writes:
On Mon, Mar 14, 2011 at 14:43, Robert Haas robertmh...@gmail.com wrote:
Also, the text is not accurate:
Magnus Hagander mag...@hagander.net writes:
Here's an updated patch that removes this log message, and adds a few
lines to initdb to create a combination of ident/peer rows. And
finally, adds docs.
Comments?
As near as I can tell (I hate reading u-style diffs) you've documented
the ident and
On Sat, Mar 19, 2011 at 16:24, Tom Lane t...@sss.pgh.pa.us wrote:
Magnus Hagander mag...@hagander.net writes:
Here's an updated patch that removes this log message, and adds a few
lines to initdb to create a combination of ident/peer rows. And
finally, adds docs.
Comments?
As near as I can
Magnus Hagander mag...@hagander.net writes:
On Sat, Mar 19, 2011 at 16:24, Tom Lane t...@sss.pgh.pa.us wrote:
... The docs need
to state the truth, namely that ident is still allowed as a synonym
for peer on local connections. Otherwise people will get confused
as to why their pg_hba files
On Sat, Mar 19, 2011 at 17:39, Tom Lane t...@sss.pgh.pa.us wrote:
Magnus Hagander mag...@hagander.net writes:
On Sat, Mar 19, 2011 at 16:24, Tom Lane t...@sss.pgh.pa.us wrote:
... The docs need
to state the truth, namely that ident is still allowed as a synonym
for peer on local connections.
On Fri, Mar 11, 2011 at 15:36, Peter Eisentraut pete...@gmx.net wrote:
On tor, 2011-03-10 at 22:45 +0100, Magnus Hagander wrote:
On Thu, Mar 10, 2011 at 22:22, Bruce Momjian br...@momjian.us wrote:
Added to TODO:
Rename unix domain socket 'ident' connections to 'peer', to avoid
On Mon, Mar 14, 2011 at 5:18 AM, Magnus Hagander mag...@hagander.net wrote:
On Fri, Mar 11, 2011 at 15:36, Peter Eisentraut pete...@gmx.net wrote:
On tor, 2011-03-10 at 22:45 +0100, Magnus Hagander wrote:
On Thu, Mar 10, 2011 at 22:22, Bruce Momjian br...@momjian.us wrote:
Added to TODO:
On Mon, Mar 14, 2011 at 14:43, Robert Haas robertmh...@gmail.com wrote:
On Mon, Mar 14, 2011 at 5:18 AM, Magnus Hagander mag...@hagander.net wrote:
On Fri, Mar 11, 2011 at 15:36, Peter Eisentraut pete...@gmx.net wrote:
On tor, 2011-03-10 at 22:45 +0100, Magnus Hagander wrote:
On Thu, Mar 10,
Magnus Hagander mag...@hagander.net writes:
On Mon, Mar 14, 2011 at 14:43, Robert Haas robertmh...@gmail.com wrote:
Also, the text is not accurate: nothing has been automatically changed
to anything. The pg_hba.conf file is just as it was. You could say
something like ident authentication on
On Mon, Mar 14, 2011 at 16:17, Tom Lane t...@sss.pgh.pa.us wrote:
Magnus Hagander mag...@hagander.net writes:
On Mon, Mar 14, 2011 at 14:43, Robert Haas robertmh...@gmail.com wrote:
Also, the text is not accurate: nothing has been automatically changed
to anything. The pg_hba.conf file is
On tor, 2011-03-10 at 22:45 +0100, Magnus Hagander wrote:
On Thu, Mar 10, 2011 at 22:22, Bruce Momjian br...@momjian.us wrote:
Added to TODO:
Rename unix domain socket 'ident' connections to 'peer', to avoid
confusion with TCP 'ident'
Should we consider adding peer as
Added to TODO:
Rename unix domain socket 'ident' connections to 'peer', to avoid
confusion with TCP 'ident'
* http://archives.postgresql.org/pgsql-hackers/2010-11/msg01053.php
---
On Thu, Mar 10, 2011 at 22:22, Bruce Momjian br...@momjian.us wrote:
Added to TODO:
Rename unix domain socket 'ident' connections to 'peer', to avoid
confusion with TCP 'ident'
Should we consider adding peer as an alias for ident already in
9.1 (and change the default
Magnus Hagander wrote:
On Thu, Mar 10, 2011 at 22:22, Bruce Momjian br...@momjian.us wrote:
Added to TODO:
? ? ? ?Rename unix domain socket 'ident' connections to 'peer', to avoid
? ? ? ?confusion with TCP 'ident'
Should we consider adding peer as an alias for ident already in
9.1
Magnus Hagander mag...@hagander.net writes:
On Thu, Mar 10, 2011 at 22:22, Bruce Momjian br...@momjian.us wrote:
Added to TODO:
Rename unix domain socket 'ident' connections to 'peer', to avoid
confusion with TCP 'ident'
Should we consider adding peer as an alias for ident
We use it. Do you have an alternative that doesn't lower security
besides Kerberos? Anti-ident arguments are straw man arguments - If
you setup identd badly or don't trust remote root or your network,
ident sucks as an authentication mechanism.
Actually, you're trusting that nobody can add
On Thu, Nov 18, 2010 at 1:01 PM, Josh Berkus j...@agliodbs.com wrote:
We use it. Do you have an alternative that doesn't lower security
besides Kerberos? Anti-ident arguments are straw man arguments - If
you setup identd badly or don't trust remote root or your network,
ident sucks as an
Josh Berkus j...@agliodbs.com writes:
We use it. Do you have an alternative that doesn't lower security
besides Kerberos? Anti-ident arguments are straw man arguments - If
you setup identd badly or don't trust remote root or your network,
ident sucks as an authentication mechanism.
Actually,
On Thu, Nov 18, 2010 at 19:21, Tom Lane t...@sss.pgh.pa.us wrote:
Josh Berkus j...@agliodbs.com writes:
We use it. Do you have an alternative that doesn't lower security
besides Kerberos? Anti-ident arguments are straw man arguments - If
you setup identd badly or don't trust remote root or
Magnus Hagander mag...@hagander.net writes:
On Thu, Nov 18, 2010 at 19:21, Tom Lane t...@sss.pgh.pa.us wrote:
I thought the proposal on the table was to add peer (or some other
name) to refer to the unix-socket auth method, and use that term
preferentially in the docs, while continuing to
On 11/18/2010 01:21 PM, Tom Lane wrote:
I thought the proposal on the table was to add peer (or some other
name) to refer to the unix-socket auth method, and use that term
preferentially in the docs, while continuing to accept ident as an
old name for it. Is that really too confusing?
Not
I thought the proposal on the table was to add peer (or some other
name) to refer to the unix-socket auth method, and use that term
preferentially in the docs, while continuing to accept ident as an
old name for it. Is that really too confusing?
What about the pg_ident file? Are we going
On Thu, Nov 18, 2010 at 19:41, Josh Berkus j...@agliodbs.com wrote:
I thought the proposal on the table was to add peer (or some other
name) to refer to the unix-socket auth method, and use that term
preferentially in the docs, while continuing to accept ident as an
old name for it. Is that
We should've done that long ago - it's already used for things that
aren't ident. If anything, it should be pg_usermap.conf.
That would be nice. How would we handle the backwards compatibility?
Accept pg_ident files also for 2 versions with a warning in the logs,
and then stop reading them?
On Thu, Nov 18, 2010 at 6:36 PM, Tom Lane t...@sss.pgh.pa.us wrote:
It's also warning about the wrong thing. IMO the real subtext to this
discussion is that we're afraid people are using ident-over-TCP
insecurely because they've confused it with ident-over-socket.
Which is a legitimate
On Thu, Nov 18, 2010 at 19:36, Tom Lane t...@sss.pgh.pa.us wrote:
Magnus Hagander mag...@hagander.net writes:
On Thu, Nov 18, 2010 at 19:21, Tom Lane t...@sss.pgh.pa.us wrote:
I thought the proposal on the table was to add peer (or some other
name) to refer to the unix-socket auth method, and
Currently, we overload indent meaning both unix socket
authentication and ident over tcp, depending on what type of
connection it is. This is quite unfortunate - one of them being one of
the most secure options we have, the other one being one of the most
*insecure* ones (really? ident over tcp?
Magnus Hagander mag...@hagander.net writes:
Currently, we overload indent meaning both unix socket
authentication and ident over tcp, depending on what type of
connection it is. This is quite unfortunate - one of them being one of
the most secure options we have, the other one being one of the
On Wed, Nov 17, 2010 at 16:39, Tom Lane t...@sss.pgh.pa.us wrote:
Magnus Hagander mag...@hagander.net writes:
Currently, we overload indent meaning both unix socket
authentication and ident over tcp, depending on what type of
connection it is. This is quite unfortunate - one of them being one
On Wed, Nov 17, 2010 at 04:43:00PM +0100, Magnus Hagander wrote:
On Wed, Nov 17, 2010 at 16:39, Tom Lane t...@sss.pgh.pa.us wrote:
Magnus Hagander mag...@hagander.net writes:
Currently, we overload indent meaning both unix socket
authentication and ident over tcp, depending on what type of
On 2010-11-17 22:43, Magnus Hagander wrote:
at the advantage of not confusing new users. We could of course also
just drop ident-over-tcp completely, but there might be some poor guy
out there who actually *uses* it :-)
As far as I know, companies do use it in their internal networks where
On ons, 2010-11-17 at 16:35 +0100, Magnus Hagander wrote:
Currently, we overload indent meaning both unix socket
authentication and ident over tcp, depending on what type of
connection it is. This is quite unfortunate - one of them being one of
the most secure options we have, the other one
On Wed, Nov 17, 2010 at 17:10, Jeroen Vermeulen j...@xs4all.nl wrote:
On 2010-11-17 22:43, Magnus Hagander wrote:
at the advantage of not confusing new users. We could of course also
just drop ident-over-tcp completely, but there might be some poor guy
out there who actually *uses* it :-)
On Wed, Nov 17, 2010 at 17:31, Peter Eisentraut pete...@gmx.net wrote:
On ons, 2010-11-17 at 16:35 +0100, Magnus Hagander wrote:
Currently, we overload indent meaning both unix socket
authentication and ident over tcp, depending on what type of
connection it is. This is quite unfortunate - one
Magnus Hagander mag...@hagander.net writes:
If it was a matter of changing it for those who use ident over tcp, I
really wouldn't hesitate - they're few :-) But the problem is that
it's the ident-over-tcp that's correctly named, not the other one...
Yeah, renaming the TCP version would be
On 2010-11-18 00:14, Magnus Hagander wrote:
If it was a matter of changing it for those who use ident over tcp, I
really wouldn't hesitate - they're few :-) But the problem is that
it's the ident-over-tcp that's correctly named, not the other one...
True.
By the way ISTR we don't fall back
On Wed, Nov 17, 2010 at 10:35 PM, Magnus Hagander mag...@hagander.net wrote:
Currently, we overload indent meaning both unix socket
authentication and ident over tcp, depending on what type of
connection it is. This is quite unfortunate - one of them being one of
the most secure options we
37 matches
Mail list logo
