postgresql's 502.pgsql periodic script and passwords

George Hartzell hartzell at
Wed Jan 31 17:44:12 UTC 2007

Michael Fuhr writes:
 > [...]
 > The "ident sameuser" method causes the backend to ask the OS what
 > user is at the other end of the Unix socket.  If the OS username
 > matches the database username then the connection is authenticated;
 > otherwise it's rejected.  You can use pg_ident.conf to define other
 > OS-user-to-database-user mappings.

Thanks for the example.  I'd seen comments about that, but been
tripped up by an off the cuff comment in a google-hit that it depends
on an ident daemon.

Given your example above, I searched for, and found, the ident section
of the postgresql docs:

which clarified things.

Just for the archives, on tcp connections, ident is NOT to be trusted
(at least not necessarily) as it does rely on an ident daemon and a
trustworthy client.

However, on local connections the docs say:

   On systems supporting SO_PEERCRED requests for Unix-domain sockets
   (currently Linux, FreeBSD, NetBSD, OpenBSD, and BSD/OS), ident
   authentication can also be applied to local connections. In this
   case, no security risk is added by using ident authentication;
   indeed it is a preferable choice for local connections on such

So it sounds like it's a better way to go.



More information about the freebsd-ports mailing list