Date: Wed, 31 Jan 2007 09:46:24 -0800 From: George Hartzell <hartzell@alerce.com> To: Michael Fuhr <mike@fuhr.org> Cc: George Hartzell <hartzell@alerce.com>, freebsd-ports@freebsd.org, Bill Moran <wmoran@collaborativefusion.com> Subject: Re: postgresql's 502.pgsql periodic script and passwords Message-ID: <17856.54768.37988.505731@satchel.alerce.com> In-Reply-To: <20070131061541.GA24386@winnie.fuhr.org> References: <20070130010910.GA90927@winnie.fuhr.org> <17855.37182.608042.111363@satchel.alerce.com> <20070131061541.GA24386@winnie.fuhr.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Fuhr writes: > [...] > The "ident sameuser" method causes the backend to ask the OS what > user is at the other end of the Unix socket. If the OS username > matches the database username then the connection is authenticated; > otherwise it's rejected. You can use pg_ident.conf to define other > OS-user-to-database-user mappings. Thanks for the example. I'd seen comments about that, but been tripped up by an off the cuff comment in a google-hit that it depends on an ident daemon. Given your example above, I searched for, and found, the ident section of the postgresql docs: http://www.postgresql.org/docs/8.1/interactive/auth-methods.html which clarified things. Just for the archives, on tcp connections, ident is NOT to be trusted (at least not necessarily) as it does rely on an ident daemon and a trustworthy client. However, on local connections the docs say: On systems supporting SO_PEERCRED requests for Unix-domain sockets (currently Linux, FreeBSD, NetBSD, OpenBSD, and BSD/OS), ident authentication can also be applied to local connections. In this case, no security risk is added by using ident authentication; indeed it is a preferable choice for local connections on such systems. So it sounds like it's a better way to go. Thanks! g.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17856.54768.37988.505731>