Re: Logging of matching pg_hba.conf entry during auth skips trust auth, potential security issue
Stephen Frost <sfrost@snowman.net>
From: Stephen Frost <sfrost@snowman.net>
To: Jacob Champion <jchampion@timescale.com>
Cc: Shaun Thomas <shaun.thomas@enterprisedb.com>, Michael Paquier <michael@paquier.xyz>, pgsql-hackers@postgresql.org
Date: 2023-08-17T16:01:26Z
Lists: pgsql-hackers
Greetings, * Jacob Champion (jchampion@timescale.com) wrote: > Maybe something like the attached? > - I used the phrasing "connection not authenticated" in the hopes that > it's a bit more greppable than just "connection", especially in > combination with the existing "connection authenticated" lines. That doesn't seem quite right ... admittedly, 'trust' isn't performing authentication but there can certainly be an argument made that the basic 'matched a line in pg_hba.conf' is a form of authentication, and worse really, saying 'not authenticated' would seem to imply that we didn't allow the connection when, really, we did, and that could be confusing to someone. Maybe 'connection allowed' instead..? Thanks, Stephen
Commits
-
Generate new LOG for "trust" connections under log_connections
- e48b19c5db31 17.0 landed
-
Add some information about authenticated identity via log_connections
- 9afffcb833d3 14.0 cited