[prev in list] [next in list] [prev in thread] [next in thread]
List: postgresql-general
Subject: Re: purpose of an entry in pg_hba.conf file
From: Atul Kumar <akumar14871 () gmail ! com>
Date: 2023-10-26 18:56:37
Message-ID: CA+ONtZ50gxDPQifxbkeegwB4CCJ_BAwnMR81mzeyu-J6uVgvDw () mail ! gmail ! com
[Download RAW message or body]
as per response
"It allows anyone/anything on the local machine to connect to the database
without authentication. Whether that impacts any particular one/thing
depends on your personal setup."
There is already one line to serve your stated purpose
local all all trust
That's why I specifically raised this question for below from postgresql
experts
host all all 127.0.0.1/32 trust
So still I am not able to find a valid reason for keeping this entry. So
please help me in explaining the same.
Regards,
On Thu, Oct 26, 2023 at 11:56 PM David G. Johnston <
david.g.johnston@gmail.com> wrote:
> Always reply to the list, it is ok to CC individuals. Also, the
> convention here is to inline post (or bottom if you must) as in my first
> reply; not top-post as you and I have done here.
>
> I'd suggest also putting into your own words what you believe the entry is
> providing/enabling. Read the relevant documentation for aid in formulating
> such a description.
>
> It allows anyone/anything on the local machine to connect to the database
> without authentication. Whether that impacts any particular one/thing
> depends on your personal setup.
>
> David J.
>
> On Thu, Oct 26, 2023 at 11:04 AM Atul Kumar <akumar14871@gmail.com> wrote:
>
>> Hi,
>>
>> Could you elaborate more as it seems that your response doesn't satisfy
>> my query which is "what is the exact purpose of this entry and what
>> would be the impact of removing it on other tools/processes like pgbouncer,
>> pem, replication etc ?"
>>
>> I am yet to understand the impact of removing this entry.
>>
>>
>> Regards.
>>
>> On Thu, Oct 26, 2023 at 5:52 AM David G. Johnston <
>> david.g.johnston@gmail.com> wrote:
>>
>>> On Wed, Oct 25, 2023 at 5:11 PM Atul Kumar <akumar14871@gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> As you know already, pg_hba.conf file always has the below entry after
>>>> successful installation of postgres.
>>>>
>>>> host all all 127.0.0.1/32 trust
>>>>
>>>>
>>>> Please let me know what is the exact purpose of this entry and what
>>>> would be the impact of removing it on other tools/processes like pgbouncer,
>>>> pem, replication etc ?
>>>>
>>>>
>>>>
>>> While that may be a true statement for installation from source I'm
>>> pretty certain most packagers have a more tightly controlled setup that
>>> doesn't involve "trust" authentication.
>>>
>>> The reason behind choosing to include that specific line is to minimize
>>> the amount of post-install effort needed for one to connect to the server
>>> from the local machine, which is often a personal machine with only the
>>> "DBA" having access to it.
>>>
>>> The better and more widely implemented default is requiring a password
>>> for host while accepting peer for local.
>>>
>>> All external tools should be told what credentials to use to connect to
>>> the server and those credentials added to the system and a more restrictive
>>> pg_hba.conf entry added to permit those connections. All trust connections
>>> in pg_hba.conf should be removed from it as quickly as possible.
>>>
>>> David J.
>>>
>>>
>>>
[Attachment #3 (text/html)]
<div dir="ltr">as per response<div><br></div><div>"<span \
style="font-family:arial,helvetica,sans-serif">It allows anyone/anything on the local \
machine to connect to the database without authentication. Whether that impacts any \
particular one/thing depends on your personal \
setup.</span>"</div><div><br></div><div>There is already one line to serve your \
stated purpose</div><div>local all all \
trust</div><div><br></div><div><br></div><div>That's why I specifically raised \
this question for below from postgresql experts</div><div><span \
style="font-family:Calibri,sans-serif;font-size:14.6667px">host all \
all </span><a href="http://127.0.0.1/32" target="_blank" \
style="font-family:Calibri,sans-serif;font-size:14.6667px">127.0.0.1/32</a><span \
style="font-family:Calibri,sans-serif;font-size:14.6667px"> \
trust</span><br></div><div><span \
style="font-family:Calibri,sans-serif;font-size:14.6667px"><br></span></div><div><span \
style="font-family:Calibri,sans-serif;font-size:14.6667px">So still I am not able to \
find a valid reason for keeping this entry. So please help me in explaining the \
same.</span></div><div><span \
style="font-family:Calibri,sans-serif;font-size:14.6667px"><br></span></div><div><span \
style="font-family:Calibri,sans-serif;font-size:14.6667px"><br></span></div><div><span \
style="font-family:Calibri,sans-serif;font-size:14.6667px">Regards,</span></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Oct 26, 2023 at \
11:56 PM David G. Johnston <<a \
href="mailto:david.g.johnston@gmail.com">david.g.johnston@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
dir="ltr"><div class="gmail_default" \
style="font-family:arial,helvetica,sans-serif">Always reply to the list, it is ok to \
CC individuals. Also, the convention here is to inline post (or bottom if you must) \
as in my first reply; not top-post as you and I have done here.</div><div \
class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div \
class="gmail_default" style="font-family:arial,helvetica,sans-serif">I'd suggest \
also putting into your own words what you believe the entry is providing/enabling. \
Read the relevant documentation for aid in formulating such a description.</div><div \
class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div \
class="gmail_default" style="font-family:arial,helvetica,sans-serif">It allows \
anyone/anything on the local machine to connect to the database without \
authentication. Whether that impacts any particular one/thing depends on your \
personal setup.</div><div class="gmail_default" \
style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" \
style="font-family:arial,helvetica,sans-serif">David J.</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Oct 26, 2023 at \
11:04 AM Atul Kumar <<a href="mailto:akumar14871@gmail.com" \
target="_blank">akumar14871@gmail.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>Could you \
elaborate more as it seems that your response doesn't satisfy my query which is \
"<span style="color:rgb(80,0,80);font-family:Calibri,sans-serif;font-size:14.6667px">what \
is the exact purpose of this entry and what would be the impact of removing it on \
other tools/processes like pgbouncer, pem, replication etc \
?</span>"</div><div><br></div><div>I am yet to understand the impact of removing \
this entry.</div><div><br></div><div><br></div><div>Regards.</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Oct 26, 2023 at \
5:52 AM David G. Johnston <<a href="mailto:david.g.johnston@gmail.com" \
target="_blank">david.g.johnston@gmail.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div \
style="font-family:arial,helvetica,sans-serif"><span \
style="font-family:Arial,Helvetica,sans-serif">On Wed, Oct 25, 2023 at 5:11 PM Atul \
Kumar <<a href="mailto:akumar14871@gmail.com" \
target="_blank">akumar14871@gmail.com</a>> wrote:</span><br></div></div><div \
class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr">Hi,<div><br></div><div>As you know already, pg_hba.conf file always has \
the below entry after successful installation of \
postgres.</div><div><br></div><div><p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">host all
all
<a href="http://127.0.0.1/32" target="_blank">127.0.0.1/32</a> \
trust</span></p><p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US"><br></span></p><p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><span \
lang="EN-US">Please let me know what is the exact purpose of this entry and what \
would be the impact of removing it on other tools/processes like pgbouncer, pem, \
replication etc ?</span></p><p class="MsoNormal" \
style="margin:0cm;font-size:11pt;font-family:Calibri,sans-serif"><br></p></div></div></blockquote><div><br></div><div><div \
style="font-family:arial,helvetica,sans-serif">While that may be a true statement for \
installation from source I'm pretty certain most packagers have a more tightly \
controlled setup that doesn't involve "trust" authentication.</div><div \
style="font-family:arial,helvetica,sans-serif"><br></div><div \
style="font-family:arial,helvetica,sans-serif">The reason behind choosing to include \
that specific line is to minimize the amount of post-install effort needed for one to \
connect to the server from the local machine, which is often a personal machine with \
only the "DBA" having access to it.</div><div \
style="font-family:arial,helvetica,sans-serif"><br></div><div \
style="font-family:arial,helvetica,sans-serif">The better and more widely implemented \
default is requiring a password for host while accepting peer for local.</div><div \
style="font-family:arial,helvetica,sans-serif"><br></div><div \
style="font-family:arial,helvetica,sans-serif">All external tools should be told what \
credentials to use to connect to the server and those credentials added to the system \
and a more restrictive pg_hba.conf entry added to permit those connections. All \
trust connections in pg_hba.conf should be removed from it as quickly as \
possible.</div><div style="font-family:arial,helvetica,sans-serif"><br></div><div \
style="font-family:arial,helvetica,sans-serif">David J.</div><div \
style="font-family:arial,helvetica,sans-serif"><br></div><br></div></div></div> \
</blockquote></div> </blockquote></div></div>
</blockquote></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic