Re: pg_hba.conf "sameuser" - Mailing list pgsql-general
| From | Tim Frank |
|---|---|
| Subject | Re: pg_hba.conf "sameuser" |
| Date | |
| Msg-id | 20010314.17541905@tfrank.registrar.uoguelph.ca Whole thread Raw |
| In response to | Re: pg_hba.conf "sameuser" (Peter Eisentraut <peter_e@gmx.net>) |
| List | pgsql-general |
Peter,
Thank you for pointing out the VERY, VERY obvious to me that there was
most likely a line later on in my config that was still letting that
machine through. There was indeed a line there for the entire subnet for
password authentication (DUH!) that I forgot about while testing the
"sameuser" parameter.
Of course once I commented out that line things behaved appropriately
for "sameuser" as both a DBNAME and as the parameter for ident. I knew I
was missing something stupid, but to hell if I could find it on my own.
Lesson learned: When trying to add new authentication entries be sure
current authentcation lines don't conflict with or override the new ones.
Thanks a bunch, I have a tiny bit of my sanity back for the week now :)
Now that sameuser was working fine I tried to pull of something like this
host sameuser xxx.xxx.xxx.xxx 255.255.255.255 password other.pwd
to provide a list of "additional" users who could access a databse named
the same as a user (so I could allow superuser accounts to also connect
to those DB's in one step without having to explicitly list each DB with
its own password file) but it only let me connect as a user in the
other.pwd regardless of whether or not I was actually connecting as the
same username as the DB. Here I just assume that the optional file is
given a higher priority than the "sameuser" option. I just thought I
would give it a crack and see what happened.
Most of this is just academic exercies on my part to figure out what
can/can't be done and how. I may not end up using "sameuser" but I want
to have a good understanding of it before I discount it altogether.
Thanks again for your time.
Tim Frank
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
> The snippet you quoted is slightly misworded. The "sameuser" key word
> when used in place of a database name determines whether the record
> matches. So a record of the form
> host sameuser xxx.xxx.xxx.xxx 255.255.255.255 password
> says to use password authentication if the host IP matches *and* the
> requested database name is equal to the requested user name. If these
> conditions aren't satisfied then the record doesn't match and is not
> considered. Most likely, in your case there are subsequent records that
> also match the host IP that have different authentication set. E.g., if
> you add a record
> host all xxx.xxx.xxx.xxx 255.255.255.255 trust
> after the above record, then all connection requests where the username
is
> equal to the database name will require a password, whereas all other
> connections will be allowed unconditionally. (A rather silly setup, of
> course.)
> > The only actual references I have seen in examples for "sameuser" use
it
> > in conjunction with an AUTHTYPE of ident. Such as,
> >
> > host sameuser (IP) (MASK) ident (which doesn't seem to work
as
> > ident always fails?)
> An argument after "ident" is required.
> >
> > or
> >
> > host myuser (IP) (MASK) ident sameuser (which doesn't seem
to
> > restrict a user to their own DB either)
> This is different. This means that the connection is allowed if the Unix
> user name and the database user name match.
> --
> Peter Eisentraut peter_e@gmx.net http://yi.org/peter-e/
pgsql-general by date: