Обсуждение: ident auth vs. encrypting ident daemons
Currently, the Red Hat and (I believe) PGDG RPMs set up ident authentication as the default, by running initdb with--auth='ident sameuser' I think several other binary distros do the same. It was pointed out to me recently that this does not work real well anymore on Fedora. It's fine on Unix-socket connections but fails entirely on localhost TCP, because (1) the TCP ident daemon isn't started by default (even assuming you installed it), and (2) if it is running, the default arguments for it include "-E" which causes it to return an encrypted version of the username. So authentication will always fail. In the modern net it's kind of hard to tell people to run identd servers without -E, so I'm thinking that this default is becoming more and more useless. IMHO there are a couple of things we ought to do about it: * initdb has to abandon the one-size-fits-all approach to auth methods; we need to be able to specify different auth methods for unix-socket and TCP. (Of course, the RPMs could just hack in the right thing with sed, but then why are we bothering to support an --auth argument at all?) * I'm inclined to make the Red Hat RPMs default to ident on socket and md5 on localhost ... any comments about that? * We ought to think about ways to cope with encrypted ident daemons. Assuming that a given daemon always reports the same encrypted string for a given username, ISTM it ought to be possible for a DBA to set up an ident mapping file that would allow ident-encrypted authentication to work. You'd likely need a separate mapping file per client host because the encryption keys would be different, but it'd beat not having ident support at all. We'd need to add documentation explaining how to do this, and I think we should also tweak the logging of failed ident-auth connections. All we have at the moment is ereport(DEBUG2, (errmsg("Ident protocol identifies remote user as \"%s\"", ident_user))); which is pretty inadequate because it doesn't mention either the PG user name or the remote machine's address. I'd like to put out a LOG-level message mentioning all three anytime TCP ident authentication fails, so that the postmaster log provides the info needed to set up a mapping file. Can anyone see any reasons not to do that? regards, tom lane
Le jeudi 15 juin 2006 22:29, Tom Lane a écrit : > Currently, the Red Hat and (I believe) PGDG RPMs set up ident > authentication as the default, by running initdb with > --auth='ident sameuser' > I think several other binary distros do the same. Just to notice Mandriva still provide postgresql setup by default with a trust authentication and only local connections are allow. In fact the initdb is run at first 'service postgresql start', we assume the sys admin will setup it. But If you (postgresql team) have any other preference (this can help for new user to have the software setup like all documentation said), just warn me, I have no problem for such change (I am the maintainer of postgresql for mandriva, so I have the control for this). > It was pointed out to > me recently that this does not work real well anymore on Fedora. It's > fine on Unix-socket connections but fails entirely on localhost TCP, > because (1) the TCP ident daemon isn't started by default (even assuming > you installed it), and (2) if it is running, the default arguments for > it include "-E" which causes it to return an encrypted version of the > username. So authentication will always fail. ident is a really old protocol, it is nice to avoid to user to enter their password for locales connections, but it is completly untrusted from a remote computer. Most of admin will simply said you running identd is only a way to have security issues, and it is often filtered, hopefully nobody filter it loopback interface :) > * I'm inclined to make the Red Hat RPMs default to ident on socket and > md5 on localhost ... any comments about that? > Nothing really except I agree (as user and as packager), and again, if you have a preference about the default method distribution should provide, just said, I'll done it for mandriva in my case.
Tom Lane wrote: >* I'm inclined to make the Red Hat RPMs default to ident on socket and >md5 on localhost ... any comments about that? > > > > I typically use something like this on RH platforms and friends for the system db cluster: local all postgres ident sameuser local all all md5 host all all 127.0.0.1/32 md5 Not using ident on tcp connections would be a good thing. I think an extra initdb switch is probably warranted. cheers andrew