On 5/23/19 6:47 PM, Jonathan S. Katz wrote: > On 5/23/19 12:54 PM, Peter Eisentraut wrote: >> On 2019-04-06 20:08, Noah Misch wrote: >>>>> I think we should just change the defaults. There is a risk of warning >>>>> fatigue. initdb does warn about this, so anyone who cared could have >>>>> gotten the information. >>>>> >>>> >>>> I've been suggesting that for years, so definite strong +1 for doing that. >>> >>> +1 >> >> To recap, the idea here was to change the default authentication methods >> that initdb sets up, in place of "trust". >> >> I think the ideal scenario would be to use "peer" for local and some >> appropriate password method (being discussed elsewhere) for host. > > +1. > >> Looking through the buildfarm, I gather that the only platforms that >> don't support peer are Windows, AIX, and HP-UX. I think we can probably >> figure out some fallback or alternative default for the latter two >> platforms without anyone noticing. But what should the defaults be on >> Windows? It doesn't have local sockets, so the lack of peer wouldn't >> matter. But is it OK to default to a password method, or would that >> upset people particularly? > > +1 for password method. Definitely better than trust :)
Attached is v2 of the patch. For now I have left in the password based method to be scram-sha-256 as I am optimistic about the support across client drivers[1] (and FWIW I have an implementation for crystal-pg ~60% done). However, this probably means we would need to set the default password encryption guc to "scram-sha-256" which we're not ready to do yet, so it may be moot to leave it in. So, thinking out loud about that, we should probably use "md5" and once we decide to make the encryption method "scram-sha-256" by default, then we update the recommendation? Thanks, Jonathan
From d610f4e575b6ee634b94dc6cb9125c4dbaedc305 Mon Sep 17 00:00:00 2001
From: "Jonathan S. Katz" <jonathan.k...@excoventures.com>
Date: Fri, 5 Apr 2019 12:02:40 -0400
Subject: [PATCH] Add a warning about the client authentication defaults that
initdb provides.
This also provides advice on how to securely set up initial client connection
configurations, and removes the section that explains similar steps that is
below the directory setup. This information should be around where its explained
how initdb is first called, anyway.
---
doc/src/sgml/runtime.sgml | 46 +++++++++++++++++++++++++---------------------
1 file changed, 25 insertions(+), 21 deletions(-)
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index e053e2ee34..040aacf87f 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -85,6 +85,31 @@
described in the previous section.
</para>
+ <warning>
+ <para>
+ By default <command>initdb</command> sets up <literal>trust</literal>
+ client authentication for connecting to the database. This is not
+ recommended on multi-user systems where you do not trust all users, nor
if
+ the database server will be made accessible to remote systems.
+ </para>
+ <para>
+ We recommend using the <option>-W</option>, <option>--pwprompt</option>,
+ or <option>--pwfile</option> flags to assign a password to the database
+ superuser, and to override the <filename>pg_hba.conf</filename> default
+ generation using <option>-auth-local peer</option> for local connections,
+ (except on Windows, use <option>-auth-local scram-sha-256</option> as
+ peer authentication is not supported) and
+ <option>-auth-host scram-sha-256</option> for remote connections. See
+ <xref linkend="client-authentication"/> for more information on client
+ authentication methods.
+ </para>
+ <para>
+ If installing PostgreSQL from a distribution, we recommend you validate
+ your initially generated <filename>pg_hba.conf</filename> file to ensure
+ it meets your operational requirements.
+ </para>
+ </warning>
+
<tip>
<para>
As an alternative to the <option>-D</option> option, you can set
@@ -155,27 +180,6 @@ postgres$ <userinput>initdb -D
/usr/local/pgsql/data</userinput>
for directories and <literal>0640</literal> for files.
</para>
- <para>
- However, while the directory contents are secure, the default
- client authentication setup allows any local user to connect to the
- database and even become the database superuser. If you do not
- trust other local users, we recommend you use one of
- <command>initdb</command>'s <option>-W</option>, <option>--pwprompt</option>
- or <option>--pwfile</option> options to assign a password to the
- database superuser.<indexterm>
- <primary>password</primary>
- <secondary>of the superuser</secondary>
- </indexterm>
- Also, specify <option>-A md5</option> or
- <option>-A password</option> so that the default <literal>trust</literal>
authentication
- mode is not used; or modify the generated <filename>pg_hba.conf</filename>
- file after running <command>initdb</command>, but
- <emphasis>before</emphasis> you start the server for the first time. (Other
- reasonable approaches include using <literal>peer</literal> authentication
- or file system permissions to restrict connections. See <xref
- linkend="client-authentication"/> for more information.)
- </para>
-
<para>
<command>initdb</command> also initializes the default
locale<indexterm><primary>locale</primary></indexterm> for the database
cluster.
--
2.14.3 (Apple Git-98)
signature.asc
Description: OpenPGP digital signature
