On 8/11/2016 1:48 PM, Jeff Janes wrote:
#1) pg_hba conf
> Out of the box the md5 setting blocks access.
That depends on which box you got it out of. If you compile the
source yourself, its default settings are 'trust', not 'md5'.
If you get it from a repository, it is up to the repository's policies
and/or the packager's tastes to decide what defaults to use.
In my hands, md5 blocks access exactly when it should, when the user
fails to provide the valid password.
my defacto pg_hba.conf reads like this...
local all all peer
host all all 127.0.0.0/8 md5
host all all ::1 md5
# host all all xxx.yyy.zzz.0/24 md5 ## uncomment and adjust
hostmask to suit LAN client addresses
with this setup, if user X runs psql with no arguments, it
authenticates them as sql user X. if user X wants to connect to
postgres as sql user Y, then `psql -h localhost -U Y ...` (or
equivalent in whatever API) and use the sql Y role password to
authenticate.
--
john r pierce, recycling bits in santa cruz
