Skip to content

Remove trust authentication from pg_hba.conf

Severity: criticalApplies to: PostgreSQL 14+Applies to: PostgreSQL 18
The fixpg_hba.conf
Terminal window
# TYPE DATABASE USER ADDRESS METHOD
local all all peer
host all all 127.0.0.1/32 scram-sha-256
host all all ::1/128 scram-sha-256
SELECT pg_reload_conf();

PostgreSQL’s documentation describes trust without euphemism:

This method allows anyone that can connect to the PostgreSQL database server to login as any PostgreSQL user they wish, without the need for a password or any other authentication.

Any user they wish includes postgres. There is no password to guess and no partial access to escalate from — reaching the socket is superuser. From there: read and write every database, COPY ... FROM PROGRAM to run shell commands as the postgres OS user, and read files off the host.

A trust line paired with a wide ADDRESS is the worst configuration in this cluster. It is also common, because it is what makes things work when authentication is misconfigured and someone is under time pressure.

Nobody sets this out of malice. It arrives three ways:

  • Debugging. A connection fails, trust makes it succeed, and the change outlives the debugging session.
  • Tutorials. A great deal of “getting started with Postgres” content sets trust for local connections to skip the password step.
  • initdb --auth=trust, or an automation template that passes it.

The tell is that it always works. Nothing ever fails to remind you it’s there.

Connection Use Why
local (unix socket) peer Matches the OS user to the database user. No password to manage.
host loopback scram-sha-256 A real password, hashed properly.
host remote hostssl + scram-sha-256 See TLS — plain host permits unencrypted connections.

peer is the one people miss. For local socket connections it gives you the passwordless convenience that made trust attractive, while still being an actual authentication check — the kernel vouches for the OS user identity.