Details
A large number of authentication METHODs are available for hosts connecting using TCP/IP sockets, including:
trust
reject
md5
password
gss
sspi
ident
pam
ldap
radius
cert
METHODs trust, password, and ident are not to be used for remote logins. METHOD md5 is the most popular and can be used in both encrypted and unencrypted sessions.
Use of the gss, sspi, pam, ldap, radius, and cert METHODs, while more secure than md5, are dependent upon the availability of external authenticating processes/services and thus are not covered in this benchmark.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Confirm a login attempt has been made by looking for a logged error message detailing the nature of the authenticating failure. In the case of failed login attempts, whether encrypted or unencrypted, check the following:
The server should be sitting on a port exposed to the remote connecting host i.e. NOT ip address 127.0.0.1
listen_addresses = ‘*’
An authenticating rule must exist in the file pg_hba.conf
This example permits only encrypted sessions for the postgres role and denies all unencrypted session for the postgres role:
# TYPE DATABASE USER ADDRESS METHOD
hostssl all postgres 0.0.0.0/0 md5
hostnossl all postgres 0.0.0.0/0 reject
The following examples illustrate other possible configurations. The resultant “rule” of success/failure depends upon the first matching line.
host all postgres 127.0.0.1/32 md5
host samerole all 0.0.0.0/0 md5
host samerole +rw 0.0.0.0/0 md5
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.