Postgres: no password / trusted host configuration
Using plaintext password authentication for your postgres connections poses unneeded risk. It is vulnerable to sniffing, tampering, and hijacking. Not only that, a hacker gaining access to a vast array of machines can perform elevation quite easily (for a famous example, look at the Equifax case).
From the documentation:
"The method password sends the password in clear-text and is therefore vulnerable to password “sniffing” attacks. It should always be avoided if possible. If the connection is protected by SSL encryption then password can be used safely, though. (Though SSL certificate authentication might be a better choice if one is depending on using SSL)."
Problem
In pg_hba.conf
, locate trust
:
host all 192.168.1.10 255.255.255.255 password
Fix
In pg_hba.conf
, use some other method of trust:
host all 192.168.1.10 255.255.255.255 scram-sha-256
scram-sha-256
is currently the most secure option to use.
See
Updated over 1 year ago