Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] Why md5 auth not supported?

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] Why md5 auth not supported?


Chronological Thread 
    < Chronological >      < Thread >
  • From: Mark Feit <>
  • To: Bockjoo Kim <>, "" <>
  • Subject: Re: [perfsonar-user] Why md5 auth not supported?
  • Date: Thu, 1 Aug 2019 17:53:12 +0000
  • Arc-authentication-results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=internet2.edu;dmarc=pass action=none header.from=internet2.edu;dkim=pass header.d=internet2.edu;arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bqXN4hel1GHZFrJKe+/sAZbM+Y1fnyxTtocW5eJFVMc=; b=QguUas+Lx8c+3PUo6Ipz+FUfMdCL8k0kr0x5WQ3NCX1Wvo4AupEtDSW77cMsHqmF1uz7xPKg/dUfBi2joKa4HJ2XU0zStZsZUcsCJRDBVTrfAfV3OyqWkmdYSCRq+22Ti5dLaP7m77FfKaBD+Yqf2t+m9BKImyrhpdNRbZ6PRjeeL/C8G9ZG2akqIo/y4mRHQjJRd5kTFYKcOlvaOcoLmiN28IL2SGCn/GNkZTmMat6+xncFw51QJmBEr1uhkL+JgRFaju0PWmpiAc/zoIQfdAVUX6pG1Q+wbG0+Le/G0X04uOLPj/7/bzySrFVDn9Z6DRxZJIh4gdW9kY3KHNg52A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=W5RtZC0knRY1V3hEsI/u5U7YNm3EjVrLOgRElH9uUf/WhLllxD9H9hGvIuiEOp2R+IkgiQn6nxPi+1QGDMRbkC7ao7BcqZhBIO1Su/xLQVdNK9c3WnhwNZAkeCdSfaTlVLQARl8eklHKh8bt/PrZpFl/Vt4ArHXx75TeAdYsO04pFj8QJlgMeVyZHhJmct1ehZKAsOAvChTeGJ+7uvAs1k5/D943Lta/NV+iTMNyAxNeuacBDLecFHX3iwVtXK0ILjNzuOXn/ITJexB40ZZXmG3gXlPjRZd7Axs4jczlg/zYGYdiL+LyDPH5LAeHp6Yq+jsJX+ayy3RsLeZM/+OGsw==

Bockjoo Kim writes:

 

Our research computing thinks requiring md5 auth is better than using 'peer' for local connections and 'ident' for host connections from localhost/localhost6 (for database users that aren't esmond or pscheduler - stock perfsonar config already required md5 for them).

Why is md5 auth not supported by perfsonar?

Better isn’t better if it breaks something when there’s no security risk.

Local/peer uses the kernel to identify the account at the other end of a local (Unix socket) connection.  Disabling that will prevent the postgres account from having unfettered access to the database, which in turn will break anything that depends on it (pScheduler upgrades, at a minimum).  There’s no security problem with this because that account already owns the server processes and all of the data files and there aren’t roles or grants for other accounts on the system.  You could, in theory, lock it down a bit further by restricting that just to the postgres account, but there’s not a lot of point in it since you pretty much have to trust the kernel.

Host/ident authentication for localhost and localhost6 attempts to use the ident protocol, which the toolkit doesn’t run and almost nobody else does, either.  The PostgreSQL-provided program that initializes the database sets up local authentication.  The default is trust, and the RPMs that PGDG supplies for EL7 set it up for ident.  Those entries could actually be remove entirely; I did that on a test bed host and everything still seems happy.

--Mark

 


  • Re: [perfsonar-user] Why md5 auth not supported?, Mark Feit, 08/01/2019

Archive powered by MHonArc 2.6.19.

Top of Page