The default values includes with postgresql-15 on Debian 12 are:
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 scram-sha-256
# IPv6 local connections:
host all all ::1/128 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all peer
host replication all 127.0.0.1/32 scram-sha-256
host replication all ::1/128 scram-sha-256
The provided defaults set in postgresql_hba_entries are outdated in comparison:
# Host based authentication (hba) entries to be added to the pg_hba.conf. This
# variable's defaults reflect the defaults that come with a fresh installation.
postgresql_hba_entries:
- {type: local, database: all, user: postgres, auth_method: peer}
- {type: local, database: all, user: all, auth_method: peer}
- {type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: "{{ postgresql_auth_method }}"}
- {type: host, database: all, user: all, address: '::1/128', auth_method: "{{ postgresql_auth_method }}"}
In particular:
md5 appears to be the default if ansible_fips is false, which contradicts the more secure default of scram-sha-256
replication entries are missing.
As mentioned in #76, it would be useful to be able to append entries to the defaults, instead of overriding.
The default values includes with
postgresql-15on Debian 12 are:The provided defaults set in
postgresql_hba_entriesare outdated in comparison:In particular:
md5appears to be the default ifansible_fipsisfalse, which contradicts the more secure default ofscram-sha-256replicationentries are missing.As mentioned in #76, it would be useful to be able to append entries to the defaults, instead of overriding.