On Mon, 9 May 2016 17:50:52 -0400 Scott Mead <scottm@xxxxxxxxxxx> wrote: > > was thinking of something like this: > > > > host all joe@nobody 192.168.151.75/32 password > > host all all 192.168.151.75/32 ident > > > > The "all@nobody" field is meant to specify that the remote user is > > nobody but that they are connecting as user joe. You would be able > > to use "all" as well. You don't even need to do an ident check > > unless the auth method is "trust" which would be silly anyway. In > > fact "password" is the only method that even makes any sense at all. > > So, at a high-level, you want: > > - Users deploying php scripts in apache to require a password ( btw > -- use md5, not password) I was using "password" in the generic sense. > - Users running php scripts from their shell accounts to connect with > no password to the database > > Is that correct? Absolutely not. I am allowing ident authentication for users because I trust the client machine but require password (md5, whatever) when they want to connect to their database but I can't confirm who they are. > Why not just require that everyone use an (again: *md5*) to > connect? It would be significantly more secure. Is their a > requirement that shell account users be able to connect without > providing a password? They aren't actually shell account users. I have a shell machine too but this is from the web server. If I require passwords then they have to store them in their scripts. The scripts can be secured from other users but not admins and since we don't otherwise know their raw passwords I wouldn't like to expose them, even to us. Of course PHP scripts have to run as nobody so I have no choice other than to have them store passwords in various config.php files but PHP users are used to that. I would like to fix that but that's a war for another day. -- D'Arcy J.M. Cain <darcy@xxxxxxxxx> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 788 2246 (DoD#0082) (eNTP) | what's for dinner. IM: darcy@xxxxxxx, VoIP: sip:darcy@xxxxxxxxx -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general