Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

default postgresql_hba_entries are outdated for postgresql-15 #261

Open
gclawes opened this issue Aug 4, 2024 · 1 comment
Open

default postgresql_hba_entries are outdated for postgresql-15 #261

gclawes opened this issue Aug 4, 2024 · 1 comment
Labels
stale

Comments

@gclawes
Copy link

gclawes commented Aug 4, 2024

The default values includes with postgresql-15 on Debian 12 are:

# Database administrative login by Unix domain socket
local   all             postgres                                peer

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     peer
# IPv4 local connections:
host    all             all             127.0.0.1/32            scram-sha-256
# IPv6 local connections:
host    all             all             ::1/128                 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     peer
host    replication     all             127.0.0.1/32            scram-sha-256
host    replication     all             ::1/128                 scram-sha-256

The provided defaults set in postgresql_hba_entries are outdated in comparison:

# Host based authentication (hba) entries to be added to the pg_hba.conf. This
# variable's defaults reflect the defaults that come with a fresh installation.
postgresql_hba_entries:
  - {type: local, database: all, user: postgres, auth_method: peer}
  - {type: local, database: all, user: all, auth_method: peer}
  - {type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: "{{ postgresql_auth_method }}"}
  - {type: host, database: all, user: all, address: '::1/128', auth_method: "{{ postgresql_auth_method }}"}

In particular:

  • md5 appears to be the default if ansible_fips is false, which contradicts the more secure default of scram-sha-256
  • replication entries are missing.

As mentioned in #76, it would be useful to be able to append entries to the defaults, instead of overriding.
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 6, 2024

This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

Please read this blog post to see the reasons why I mark issues as stale.

@github-actions github-actions bot added the stale label Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gclawes