From owner-freebsd-ports@FreeBSD.ORG Wed Jan 31 17:44:11 2007 Return-Path: X-Original-To: freebsd-ports@freebsd.org Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E4D7A16A401 for ; Wed, 31 Jan 2007 17:44:11 +0000 (UTC) (envelope-from hartzell@alerce.com) Received: from merlin.alerce.com (merlin.alerce.com [64.62.142.94]) by mx1.freebsd.org (Postfix) with ESMTP id C995313C4A6 for ; Wed, 31 Jan 2007 17:44:11 +0000 (UTC) (envelope-from hartzell@alerce.com) Received: from merlin.alerce.com (localhost [127.0.0.1]) by merlin.alerce.com (Postfix) with ESMTP id E67E233C5D; Wed, 31 Jan 2007 09:44:17 -0800 (PST) Received: from satchel.alerce.com (w092.z064001164.sjc-ca.dsl.cnc.net [64.1.164.92]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "satchel.alerce.com", Issuer "alerce.com" (verified OK)) by merlin.alerce.com (Postfix) with ESMTP id A25C833C5B; Wed, 31 Jan 2007 09:44:17 -0800 (PST) Received: from satchel.alerce.com (localhost [127.0.0.1]) by satchel.alerce.com (8.13.8/8.13.8) with ESMTP id l0VHkP8o040669 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 31 Jan 2007 09:46:25 -0800 (PST) (envelope-from hartzell@satchel.alerce.com) Received: (from hartzell@localhost) by satchel.alerce.com (8.13.8/8.13.8/Submit) id l0VHkODC040660; Wed, 31 Jan 2007 09:46:24 -0800 (PST) (envelope-from hartzell) From: George Hartzell MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17856.54768.37988.505731@satchel.alerce.com> Date: Wed, 31 Jan 2007 09:46:24 -0800 To: Michael Fuhr In-Reply-To: <20070131061541.GA24386@winnie.fuhr.org> References: <20070130010910.GA90927@winnie.fuhr.org> <17855.37182.608042.111363@satchel.alerce.com> <20070131061541.GA24386@winnie.fuhr.org> X-Mailer: VM 7.19 under 21.4 (patch 20) "Double Solitaire" XEmacs Lucid X-Virus-Scanned: ClamAV using ClamSMTP Cc: George Hartzell , freebsd-ports@freebsd.org, Bill Moran Subject: Re: postgresql's 502.pgsql periodic script and passwords X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: hartzell@alerce.com List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jan 2007 17:44:12 -0000 Michael Fuhr writes: > [...] > The "ident sameuser" method causes the backend to ask the OS what > user is at the other end of the Unix socket. If the OS username > matches the database username then the connection is authenticated; > otherwise it's rejected. You can use pg_ident.conf to define other > OS-user-to-database-user mappings. Thanks for the example. I'd seen comments about that, but been tripped up by an off the cuff comment in a google-hit that it depends on an ident daemon. Given your example above, I searched for, and found, the ident section of the postgresql docs: http://www.postgresql.org/docs/8.1/interactive/auth-methods.html which clarified things. Just for the archives, on tcp connections, ident is NOT to be trusted (at least not necessarily) as it does rely on an ident daemon and a trustworthy client. However, on local connections the docs say: On systems supporting SO_PEERCRED requests for Unix-domain sockets (currently Linux, FreeBSD, NetBSD, OpenBSD, and BSD/OS), ident authentication can also be applied to local connections. In this case, no security risk is added by using ident authentication; indeed it is a preferable choice for local connections on such systems. So it sounds like it's a better way to go. Thanks! g.