postgresql's 502.pgsql periodic script and passwords
George Hartzell
hartzell at alerce.com
Wed Jan 31 17:44:12 UTC 2007
Michael Fuhr writes:
> [...]
> The "ident sameuser" method causes the backend to ask the OS what
> user is at the other end of the Unix socket. If the OS username
> matches the database username then the connection is authenticated;
> otherwise it's rejected. You can use pg_ident.conf to define other
> OS-user-to-database-user mappings.
Thanks for the example. I'd seen comments about that, but been
tripped up by an off the cuff comment in a google-hit that it depends
on an ident daemon.
Given your example above, I searched for, and found, the ident section
of the postgresql docs:
http://www.postgresql.org/docs/8.1/interactive/auth-methods.html
which clarified things.
Just for the archives, on tcp connections, ident is NOT to be trusted
(at least not necessarily) as it does rely on an ident daemon and a
trustworthy client.
However, on local connections the docs say:
On systems supporting SO_PEERCRED requests for Unix-domain sockets
(currently Linux, FreeBSD, NetBSD, OpenBSD, and BSD/OS), ident
authentication can also be applied to local connections. In this
case, no security risk is added by using ident authentication;
indeed it is a preferable choice for local connections on such
systems.
So it sounds like it's a better way to go.
Thanks!
g.
More information about the freebsd-ports
mailing list