Re: Let people set host(no)ssl settings from initdb - Mailing list pgsql-hackers
| From | David Fetter |
|---|---|
| Subject | Re: Let people set host(no)ssl settings from initdb |
| Date | |
| Msg-id | 20200117194748.GI32763@fetter.org Whole thread Raw |
| In response to | RE: Let people set host(no)ssl settings from initdb ("tsunakawa.takay@fujitsu.com" <tsunakawa.takay@fujitsu.com>) |
| Responses |
Re: Let people set host(no)ssl settings from initdb
|
| List | pgsql-hackers |
On Wed, Jan 08, 2020 at 02:53:47AM +0000, tsunakawa.takay@fujitsu.com wrote: > From: David Fetter <david@fetter.org> > > > But I see two problems with the proposed approach: (1) initdb > > > doesn't support setting up SSL, so the only thing you can achieve > > > here is to reject all TCP/IP connections, until you have set up SSL. > > > > I don't believe any special setup is needed to require TLS for the > > connection, which is what this patch handles in a straightforward way. > > I think this feature can be useful because it's common to reject remote non-TLS connections. Eliminating the need to scriptfor pg_hba.conf is welcome. Setting GUC parameters just after initdb is relatively easy, because we can simply addlines at the end of postgresql.conf. But pg_hba.conf is not because the first matching entry is effective. > > In terms of rejecting non-secure remote connections, should hostgssenc/hostnogssenc also be handled similarly? Yes, and they are in the enclosed patch. > > > (2) The default pg_hba.conf only covers localhost connections. > > > > As of this patch, it can be asked to cover all connections. > > + <term><option>--auth-hostssl=<replaceable class="parameter">authmethod</replaceable></option></term> > + <listitem> > + <para> > + This option specifies the authentication method for users via > fg > + TLS connections used in <filename>pg_hba.conf</filename> > + (<literal>hostssl</literal> lines). > + </para> > + </listitem> > > The relationship between --auth/--auth-local/--auth-host and --auth-hostssl/--auth-hostnossl is confusing. The formeris for local connections, and the latter is for remote ones. Can we just add "remote" in the above documentation? Done. > Plus, you're adding the first option to initdb that handles remote connections. As the following execution shows, it doesn'twarn about using "trust" for remote connections. > > > $ initdb --auth=md5 --pwprompt --auth-hostssl=trust --auth-hostnossl=trust > ... > syncing data to disk ... ok > > Success. You can now start the database server using: > > pg_ctl -D /tuna/pg2 -l logfile start > > > > I think we should emit a warning message like the following existing one: > > -------------------------------------------------- > initdb: warning: enabling "trust" authentication for local connections > You can change this by editing pg_hba.conf or using the option -A, or > --auth-local and --auth-host, the next time you run initdb. > - > initdb: warning: enabling "trust" authentication Done. Best, David. -- David Fetter <david(at)fetter(dot)org> http://fetter.org/ Phone: +1 415 235 3778 Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
pgsql-hackers by date: