PG HBA methods

[rausub]

Hi

I was wondering if you can give me the reason for using method "trust" over "peer".

• { type: "local", database: "all", user: "{{ patroni_superuser_username }}", address: "", method: "trust" }
• { type: "local", database: "all", user: "{{ pgbouncer_auth_username }}", address: "", method: "trust" } # required for pgbouncer auth_user
• { type: "local", database: "replication", user: "{{ patroni_replication_username }}", address: "", method: "trust" }
• { type: "local", database: "all", user: "all", address: "", method: "{{ postgresql_password_encryption_algorithm }}" }
• { type: "host", database: "all", user: "all", address: "127.0.0.1/32", method: "{{ postgresql_password_encryption_algorithm }}" }
• { type: "host", database: "all", user: "all", address: "::1/128", method: "{{ postgresql_password_encryption_algorithm }}" }
• { type: "{{ host_type }}", database: "all", user: "all", address: "0.0.0.0/0", method: "{{ postgresql_password_encryption_algorithm }}" }

local specifies Unix domain socket connections (local connections using a file-based socket, not TCP/IP).
Effect:
Any local user can connect to the database as any PostgreSQL user without providing any password or other authentication credentials.
Security Implications:
Insecure in environments where multiple users have shell access to the system. Any user can potentially impersonate any PostgreSQL user (e.g., connect as postgres superuser).

whereas Peer Authentication:
Used for local connections (e.g., via Unix sockets).
Compares the operating system (OS) user running the client application with the PostgreSQL database user.

[vitabaks]

Hi!

Using the trust authentication method for local connections in PostgreSQL is based on the assumption that only authorized users with SSH access have access to the server. If an attacker gains SSH access, they can modify the configuration and connect to the database regardless of the authentication method in use. Therefore, using trust for local connections is considered acceptable in this context. Please note that the parameters provided in the variables are examples and should be tailored to fit your specific requirements.

We recommend purchasing a support package to receive customized recommendations for your database.