Changing postgres password and warning

ORIGINAL from https://serverfault.com/questions/110154/whats-the-default-superuser-username-password-for-postgres-after-a-new-install

CAUTION The answer about changing the UNIX password for "postgres" through "$ sudo passwd postgres" is not preferred, and can even be DANGEROUS!
This is why: By default, the UNIX account "postgres" is locked, which means it cannot be logged in using a password. If you use "sudo passwd postgres", the account is immediately unlocked. Worse, if you set the password to something weak, like "postgres", then you are exposed to a great security danger. For example, there are a number of bots out there trying the username/password combo "postgres/postgres" to log into your UNIX system.
What you should do is follow Chris James's answer:
sudo -u postgres psql postgres

# \password postgres

Enter new password:
To explain it a little bit. There are usually two default ways to login to PostgreSQL server:
  1. By running the "psql" command as a UNIX user (so-called IDENT/PEER authentication), e.g.:sudo -u postgres psql. Note that sudo -u does NOT unlock the UNIX user.
  2. by TCP/IP connection using PostgreSQL's own managed username/password (so-called TCP authentication) (i.e., NOT the UNIX password).
So you never want to set the password for UNIX account "postgres". Leave it locked as it is by default.
Of course things can change if you configure it differently from the default setting. For example, one could sync the PostgreSQL password with UNIX password and only allow local logins. That would be beyond the scope of this question.

Comments

Post a Comment

Popular posts from this blog

Difference between apt-get update and apt-get dis-upgrade

The “sudo apt-get upgrade” isn’t necessary. It’s a different type of upgrade from “dist-upgrade” You either run one or the other. “apt-get upgrade” will only update your existing packages while “apt-get dist-upgrade” will update your existing packages, remove obsolete packages and install new available packages as well. You can get breakages either way since new packages might be required as dependencies for upgraded packages in the case of “sudo apt-get upgrade” so using “apt-get dist-upgrade” is still the best way so far. Note: This only applies to LMDE since LMDE is a true rolling release. For any other flavor of Mint you’d use MintUpdate levels 1, 2 and 3 all the way. Perhaps someday Clem and Co. will figure out how to tailor MintUpdate so it works properly in LMDE but considering the rolling aspect of LMDE, I’m at a loss as to how theyn would do that. ref http://b10gger.wordpress.com/2011/03/20/difference-between-apt-get-upgrade-and-apt-get-dist-upgrade/ (thank for this website)
Read more