No password prompt for postgresql superuser No password prompt for postgresql superuser postgresql postgresql

No password prompt for postgresql superuser


database postgresql authentication postgresql-9.1

Your pg_hba.conf should indeed require a password for unix socket connections, but there are still ways around it that you should verify:

  1. a .pgpass file in the postgres home directory containing the password (also check the PGPASSFILE environment variable for a non-standard path).

  2. the PGPASSWORD environment variable could be set.

And there's also the possibility that you're editing the wrong pg_hba.conf file.When connected as postgres, the correct path can be obtained for verification with the SHOW hba_file SQL command.

Also, you may want to check the log file, /var/log/postgresql/postgresql-9.1-main.log for confirmation that the configuration files are reloaded when you ask for it, and look for any suspect message during the authentication.

As for the reason why passwordless connections with the postgres user are common, the debian PG-9.1 pg_hba.conf has this comment about disallowing them:

# DO NOT DISABLE!  # If you change this first entry you will need to make sure that the  # database superuser can access the database using some other method.  # Noninteractive access to all databases is required during automatic  # maintenance (custom daily cronjobs, replication, and similar tasks).  #  # Database administrative login by Unix domain socket  local   all             postgres                                peer

Since Debian and Ubuntu use the same postgres packages, this applies to Ubuntu as well.

database postgresql authentication postgresql-9.1

Re your odd behaviour, I think you've missed a line of pg_hba.conf that's specific to the postgres user. Please show the output of:

grep '^[^#]' pg_hba.conf

As for ident vs md5; personally I prefer ident for interactive use in development, and it's fine for normal users, but I don't think giving access to the postgres user via sudo is a great idea. Both sudo -u postgres psql and psql -U postgres -W grant access to the postgres superuser role and thus file system access as the database user. Neither require a root password, and sudo can easily be constrained via sudoers to limit the invoking user to just running psql. However, with sudo -u postgres psql the client code runs as postgres too, so it's a bigger attack surface, and there's always the chance of the user finding a way to bypass your sudoer limits.

I use ident in dev, md5 in production.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last