![Dave [Hawk-Systems]](https://www.gravatar.com/avatar/cdba444529b7c2eeb41656c7a7f27224?s=40&d=identicon "1 message, last Mar 17, 2002")
![Dave [Hawk-Systems]](https://www.gravatar.com/avatar/cdba444529b7c2eeb41656c7a7f27224?s=32&d=identicon)
pg_hba.conf and secondary password file
Right now, we support a secondary password file reference in
pg_hba.conf.
If the file contains only usernames, we assume that it is the list of
valid usernames for the connection. If it contains usernames and
passwords, like /etc/passwd, we assume these are the passwords to be
used for the connection. Such connections must pass the unencrypted
passwords over the wire so they can be matched against the file;
'password' encryption in pg_hba.conf.
Is it worth keeping this password capability in 7.3? It requires
'password' in pg_hba.conf, which is not secure, and I am not sure how
many OS's still use crypt in /etc/passwd anyway. Removing the feature
would clear up pg_hba.conf options a little.
The ability to specify usernames in pg_hba.conf or in a secondary file
is being added to pg_hba.conf anyway, so it is really only the password
part that we have to decide to keep or remove.
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026![Dave [Hawk-Systems]](https://www.gravatar.com/avatar/cdba444529b7c2eeb41656c7a7f27224?s=42&d=identicon)
Could you have multiple such references?
for example,
one entry/file with the postgres user only listed in it which enables trust for
the postgres user without password challenge
second entry/file with local users who are allowed with password
Final goal for us listed in next post.
Dave
Show quoted text
-----Original Message-----
From: pgsql-general-owner@postgresql.org
[mailto:pgsql-general-owner@postgresql.org]On Behalf Of Bruce Momjian
Sent: Friday, March 15, 2002 7:53 PM
To: PostgreSQL-general
Subject: [GENERAL] pg_hba.conf and secondary password fileRight now, we support a secondary password file reference in
pg_hba.conf.If the file contains only usernames, we assume that it is the list of
valid usernames for the connection. If it contains usernames and
passwords, like /etc/passwd, we assume these are the passwords to be
used for the connection. Such connections must pass the unencrypted
passwords over the wire so they can be matched against the file;
'password' encryption in pg_hba.conf.Is it worth keeping this password capability in 7.3? It requires
'password' in pg_hba.conf, which is not secure, and I am not sure how
many OS's still use crypt in /etc/passwd anyway. Removing the feature
would clear up pg_hba.conf options a little.The ability to specify usernames in pg_hba.conf or in a secondary file
is being added to pg_hba.conf anyway, so it is really only the password
part that we have to decide to keep or remove.-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly
I don't quite understand the question, but you can have multiple
usernames listed or in the file, and you can have multiple lines in
pg_hba.conf.
---------------------------------------------------------------------------
Dave wrote:
Could you have multiple such references?
for example,
one entry/file with the postgres user only listed in it which enables trust for
the postgres user without password challenge
second entry/file with local users who are allowed with passwordFinal goal for us listed in next post.
Dave
-----Original Message-----
From: pgsql-general-owner@postgresql.org
[mailto:pgsql-general-owner@postgresql.org]On Behalf Of Bruce Momjian
Sent: Friday, March 15, 2002 7:53 PM
To: PostgreSQL-general
Subject: [GENERAL] pg_hba.conf and secondary password fileRight now, we support a secondary password file reference in
pg_hba.conf.If the file contains only usernames, we assume that it is the list of
valid usernames for the connection. If it contains usernames and
passwords, like /etc/passwd, we assume these are the passwords to be
used for the connection. Such connections must pass the unencrypted
passwords over the wire so they can be matched against the file;
'password' encryption in pg_hba.conf.Is it worth keeping this password capability in 7.3? It requires
'password' in pg_hba.conf, which is not secure, and I am not sure how
many OS's still use crypt in /etc/passwd anyway. Removing the feature
would clear up pg_hba.conf options a little.The ability to specify usernames in pg_hba.conf or in a secondary file
is being added to pg_hba.conf anyway, so it is really only the password
part that we have to decide to keep or remove.-- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026---------------------------(end of broadcast)---------------------------
TIP 3: if posting/reading through Usenet, please send an appropriate
subscribe-nomail command to majordomo@postgresql.org so that your
message can get through to the mailing list cleanly
--
Bruce Momjian | http://candle.pha.pa.us
pgman@candle.pha.pa.us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026