Remove trust authentication from pg_hba.conf
pg_hba.conf# TYPE DATABASE USER ADDRESS METHODlocal all all peerhost all all 127.0.0.1/32 scram-sha-256host all all ::1/128 scram-sha-256SELECT pg_reload_conf();Why it matters
Section titled “Why it matters”PostgreSQL’s documentation describes trust without euphemism:
This method allows anyone that can connect to the PostgreSQL database server to login as any PostgreSQL user they wish, without the need for a password or any other authentication.
Any user they wish includes postgres. There is no password to guess and no
partial access to escalate from — reaching the socket is superuser. From there:
read and write every database, COPY ... FROM PROGRAM to run shell commands as
the postgres OS user, and read files off the host.
A trust line paired with a wide ADDRESS is the worst configuration in this
cluster. It is also common, because it is what makes things work when
authentication is misconfigured and someone is under time pressure.
Where trust comes from
Section titled “Where trust comes from”Nobody sets this out of malice. It arrives three ways:
- Debugging. A connection fails,
trustmakes it succeed, and the change outlives the debugging session. - Tutorials. A great deal of “getting started with Postgres” content sets
trustfor local connections to skip the password step. initdb --auth=trust, or an automation template that passes it.
The tell is that it always works. Nothing ever fails to remind you it’s there.
What to use instead
Section titled “What to use instead”| Connection | Use | Why |
|---|---|---|
local (unix socket) |
peer |
Matches the OS user to the database user. No password to manage. |
host loopback |
scram-sha-256 |
A real password, hashed properly. |
host remote |
hostssl + scram-sha-256 |
See TLS — plain host permits unencrypted connections. |
peer is the one people miss. For local socket connections it gives you the
passwordless convenience that made trust attractive, while still being an
actual authentication check — the kernel vouches for the OS user identity.
Related
Section titled “Related”- Use scram-sha-256, not md5 — set this before you create passwords.
- Scope pg_hba.conf rules — trust plus a wide CIDR is the worst case.