Waiting for PostgreSQL 17 – Generate new LOG for “trust” connections under log_connections

On 26th of August 2023, Michael Paquier committed patch:

Generate new LOG for "trust" connections under log_connections
Adding an extra LOG for connections that have not set an authn ID, like
when the "trust" authentication method is used, is useful for audit
A couple of TAP tests for SSL and authentication need to be tweaked to
adapt to this new LOG generated, as some scenarios expected no logs but
they now get a hit.
Reported-by: Shaun Thomas
Author: Jacob Champion
Reviewed-by: Robert Haas, Michael Paquier
Discussion: https://postgr.es/m/CAFdbL1N7-GF-ZXKaB3XuGA+CkSmnjFvqb8hgjMnDfd+uhL2u-A@mail.gmail.com

So, this is cool for auditing purposes.

Previously, before this patch, we could have seen logged messages like:

2023-09-01 17:34:55.454 CEST xxx@depesz 123926 [local] LOG:  connection authenticated: identity="xxx" method=scram-sha-256 (/home/pgdba/data/pg_hba.conf:116)
2023-09-01 17:36:12.245 CEST yyy@depesz 124538 [local] LOG:  connection authenticated: identity="yyy" method=peer (/home/pgdba/data/pg_hba.conf:117)

but now, for connection authenticated with trust, we also see similar info:

2023-09-01 17:36:18.475 CEST depesz@depesz 124680 [local] LOG:  connection authenticated: user="depesz" method=trust (/home/pgdba/data/pg_hba.conf:121)

which clearly shows that user wasn't authenticated (well, they were, but using trust, which doesn't really check anything), and that it was because of line 121 in pg_hba.conf.

Nice, thanks to all involved 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.