| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-hackers(at)postgreSQL(dot)org |
| Subject: | Re: Use "samehost" by default in pg_hba.conf? |
| Date: | 2009-10-01 02:34:10 |
| Message-ID: | 20091001023410.GA17756@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Now that the samehost/samenet patch is in, I wonder if it wouldn't be
> a good idea to replace this part of the default pg_hba.conf file:
>
> # IPv4 local connections:
> host all all 127.0.0.1/32 @authmethod@
> # IPv6 local connections:
> host all all ::1/128 @authmethod@
>
> with:
>
> # local connections via TCP/IP:
> host all all samehost @authmethod@
>
> The advantage of this is that connections made with "-h machine_name"
> instead of "-h localhost" would work without customization. I can't
> see any disadvantage to it. Making the change now would also give
> us an opportunity to test the samehost/samenet implementation in the
> buildfarm, at least for machines without Unix sockets.
I'm not sure if it out-ranks the advantages of the change for buildfarm
support, but the above change isn't actually without any disadvantage.
Specifically, not every auth mechanism that works with -h machine_name
works with -h localhost, but the first record in pg_hba which is matched
is used. I could have:
host all all 127.0.0.1/32 @authmethod@
host all all A.B.C.D/32 @authmethod2@
today and a change to:
host all all samehost @authmethod@
host all all A.B.C.D/32 @authmethod2@
could override my authmethod2 and cause connections to fail, since it
isn't intended to be used. Additionally, a user could be confused if
they're familiar with 127.0.0.1/32 and not figure out why a change to
samehost is causing problems.
> (Note that you would still need a non-default setting of
> listen_addresses for "-h machine_name" to actually work.)
In any case, this is about the default pg_hba.conf and what I'm talking
about is KRB5/GSSAPI related (127.0.0.1 may not work if it resolves to
'localhost' because KRB5/GSSAPI auth is based off getting the hostname
of the machine being connected to from the reverse DNS of the IP being
connected to). As such, it's entirely possible that it's completely
irrelevant, but I wanted to bring up that 127.0.0.1->samehost could
cause issues for some folks in some configurations.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2009-10-01 02:39:01 | Re: Use "samehost" by default in pg_hba.conf? |
| Previous Message | Fujii Masao | 2009-10-01 02:21:24 | Re: Streaming Replication patch for CommitFest 2009-09 |