Re: Using both ident and password in pg_hba.conf - Mailing list pgsql-general

From Tom Lane
Subject Re: Using both ident and password in pg_hba.conf
Date
Msg-id 3533.1462832116@sss.pgh.pa.us
Whole thread Raw
In response to Re: Using both ident and password in pg_hba.conf  ("D'Arcy J.M. Cain" <darcy@druid.net>)
Responses Re: Using both ident and password in pg_hba.conf  ("D'Arcy J.M. Cain" <darcy@druid.net>)
List pgsql-general
"D'Arcy J.M. Cain" <darcy@druid.net> writes:
> On Mon, 09 May 2016 17:12:22 -0400
> Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> If the same user id + database combinations might be valid in both
>> cases (from both PHP and manual connections) I think your only other
>> option for distinguishing which auth method to use is to make them
>> come in on different addresses.  Can you set up a secondary IP
>> interface that only the PHP server uses, for example?

> I did think of that but how do I define that in pg_hba?  The host field
> only specifies the remote IP, not the local one.

Right, but you'd be using it essentially as a loopback interface.
Say you set it up as 192.168.0.42 --- you'd tell PHP to connect to
Postgres on 192.168.0.42, and Postgres would also see the PHP connections
as coming in from 192.168.0.42.

I think on most modern OSes you can set up this sort of thing entirely in
software, not even needing a spare NIC card.  I haven't done it that way
though.


> I had an idea that that wouldn't be so easy else we would have had it
> by now.  However, I am not sure that that is what is needed.  I was
> thinking of something like this:

> host    all       joe@nobody  192.168.151.75/32       password
> host    all       all         192.168.151.75/32       ident

> The "all@nobody" field is meant to specify that the remote user is
> nobody but that they are connecting as user joe.

As John noted, we don't have any idea what the "remote username" is
at the time we're scanning pg_hba.conf.

            regards, tom lane


pgsql-general by date:

Previous
From: John R Pierce
Date:
Subject: Re: Using both ident and password in pg_hba.conf
Next
From: rverghese
Date:
Subject: Inserting into a master table with partitions does not return rows affected.