Michael Fuhr writes: > [...] > The "ident sameuser" method causes the backend to ask the OS what > user is at the other end of the Unix socket. If the OS username > matches the database username then the connection is authenticated; > otherwise it's rejected. You can use pg_ident.conf to define other > OS-user-to-database-user mappings.
Thanks for the example. I'd seen comments about that, but been tripped up by an off the cuff comment in a google-hit that it depends on an ident daemon. Given your example above, I searched for, and found, the ident section of the postgresql docs: http://www.postgresql.org/docs/8.1/interactive/auth-methods.html which clarified things. Just for the archives, on tcp connections, ident is NOT to be trusted (at least not necessarily) as it does rely on an ident daemon and a trustworthy client. However, on local connections the docs say: On systems supporting SO_PEERCRED requests for Unix-domain sockets (currently Linux, FreeBSD, NetBSD, OpenBSD, and BSD/OS), ident authentication can also be applied to local connections. In this case, no security risk is added by using ident authentication; indeed it is a preferable choice for local connections on such systems. So it sounds like it's a better way to go. Thanks! g. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[EMAIL PROTECTED]"
