patternMinor
AWS RDS Postgres pg_hba.conf auth-method
Viewed 0 times
confauthpostgresmethodpg_hbaawsrds
Problem
I'm starting to use Amazon Web Service's Relational Database Server product (AWS RDS) and want to confirm I have not made a security blunder.
My configuration:
These options enable me to use pgAdmin to connect and populate data. I've tried to determine the auth-method used in AWS RDS Postgres without success.
Am I transmitting my password in clear text when I connect with pgAdmin?
Edit:
I'm starting to think my fears are warranted. This is what I've learned:
My configuration:
- Postgres
- Publicly accessible
- Inbound rule on security group added for "PostgreSQL / My IP"
These options enable me to use pgAdmin to connect and populate data. I've tried to determine the auth-method used in AWS RDS Postgres without success.
Am I transmitting my password in clear text when I connect with pgAdmin?
Edit:
I'm starting to think my fears are warranted. This is what I've learned:
- Directions for Using SSL with PostgreSQL DB Instance suggests it's not the default
- The 'SSL' option in my pgAdmin connection properties has no options (prob'ly because I haven't setup certificates)
Solution
From what I can gather, SSL is usually being used. What varies is the level to which server certificates are verified.
Reading the guide from Amazon is helpful albeit lengthy.
Things to remember...
-
To determine if SSL is on (apparently this requires a plugin but works by default on AWS RDS):
show ssl;
-
There is a ~/.pgpass file that automatically supplies passwords when using psql (this confused me for a while)
$ psql -h testpg.cdhmuqifdpib.us-east-1.rds.amazonaws.com -p 5432 "dbname=testpg user=testuser sslrootcert=rds-ca-2015-root.pem sslmode=verify-full"
-
SSL is still on with this command however (no sslmode,sslrootcert):
$ psql -h testpg.cdhmuqifdpib.us-east-1.rds.amazonaws.com -p 5432 "dbname=testpg user=testuser"
-
This will not connect because root cert is not supplied:
$ psql -h testpg.cdhmuqifdpib.us-east-1.rds.amazonaws.com -p 5432 "dbname=testpg user=testuser sslmode=verify-full"
-
I never established a non-SSL connection however it is possible to prevent non-SSL connections to a DB instance with a parameter on the server: rds.force_ssl
Reading the guide from Amazon is helpful albeit lengthy.
Things to remember...
-
To determine if SSL is on (apparently this requires a plugin but works by default on AWS RDS):
show ssl;
-
There is a ~/.pgpass file that automatically supplies passwords when using psql (this confused me for a while)
- Full server certificate verification (requires the root cert from AWS):
$ psql -h testpg.cdhmuqifdpib.us-east-1.rds.amazonaws.com -p 5432 "dbname=testpg user=testuser sslrootcert=rds-ca-2015-root.pem sslmode=verify-full"
-
SSL is still on with this command however (no sslmode,sslrootcert):
$ psql -h testpg.cdhmuqifdpib.us-east-1.rds.amazonaws.com -p 5432 "dbname=testpg user=testuser"
-
This will not connect because root cert is not supplied:
$ psql -h testpg.cdhmuqifdpib.us-east-1.rds.amazonaws.com -p 5432 "dbname=testpg user=testuser sslmode=verify-full"
-
I never established a non-SSL connection however it is possible to prevent non-SSL connections to a DB instance with a parameter on the server: rds.force_ssl
Context
StackExchange Database Administrators Q#174625, answer score: 2
Revisions (0)
No revisions yet.