Re: Logging of matching pg_hba.conf entry during auth skips trust auth, potential security issue
Jacob Champion <jchampion@timescale.com>
From: Jacob Champion <jchampion@timescale.com>
To: Michael Paquier <michael@paquier.xyz>
Cc: Stephen Frost <sfrost@snowman.net>, Robert Haas <robertmhaas@gmail.com>, Shaun Thomas <shaun.thomas@enterprisedb.com>, pgsql-hackers@postgresql.org
Date: 2023-08-21T17:49:16Z
Lists: pgsql-hackers
On Sun, Aug 20, 2023 at 4:58 PM Michael Paquier <michael@paquier.xyz> wrote: > Attached is a v3 to do these two things, with adjustments for two SSL > tests. Any objections about it? (Sorry for the long weekend delay.) No objections; you may want to adjust the comment above the test block in t/001_password.pl, as well. I will ask -- more as a rhetorical question than something to resolve for this patch, since the topic is going to come back with a vengeance for OAuth -- what purpose the consistency here is serving. If the OP wants to notice when a connection that should be using strong authentication is not, is it helpful to make that connection "look the same" in the logs? I understand we've been carrying the language "trust authentication method" for a long time, but is that really the only hang-up, or would there be pushback if I tried to change that too, sometime in the future? Thanks, --Jacob
Commits
-
Generate new LOG for "trust" connections under log_connections
- e48b19c5db31 17.0 landed
-
Add some information about authenticated identity via log_connections
- 9afffcb833d3 14.0 cited