Postgres Pro
Downloads
Home   >   mailing lists

Re: Help with authentication on Debain/Ubuntu installation - Mailing list pgsql-general

From Adrian Klaver
Subject Re: Help with authentication on Debain/Ubuntu installation
Date
Msg-id 76a1827a-b05c-a170-aace-2c07daf7ac32@aklaver.com
Whole thread Raw
In response to Re: Help with authentication on Debain/Ubuntu installation  (stan <stanb@panix.com>)
List pgsql-general
Tree view 
On 11/21/19 1:52 PM, stan wrote:
> 
> On Thu, Nov 21, 2019 at 12:14:16PM -0800, Adrian Klaver wrote:

>> 5) Now in your case you have peer auth(first in the list) for local socket
>> connections which means a user can only connect on the local socket as the
>> db postgres user if they are also the os postgres user.
>> You can work around that by having other users connect to the database using
>> a -h(host) connection that requires a password.
> 

I will answer your questions below, but I would suggest you spend some 
time going over:

https://www.postgresql.org/docs/11/auth-pg-hba-conf.html

It will answer a lot of questions.

> So, to implement it this way. I would
> 
> * set teh postgres database user password to one I know.
> * run tasks that need posgres superuser access with -h
> <external_ip_address> -U postgress -W
> 
> * enter the password.
> 
> Correct?

Yes and no.

If you are running tasks as the OS user postgres and connecting to the 
local socket(no -h) then this:

# Database administrative login by Unix domain socket
local   all             postgres                                peer

will apply and you will not need a password.

If you are not running as the OS user postgres or are not using the 
local socket, then another connection line in pg_hba.conf will come into 
play. In that case you probably want something like:

host   all             postgres                                md5

In the above case you can connect as an OS user other then 
postgres(using -U postgres) and you will be need to supply a password. 
Also if you connect as OS user postgres(using -h) then you will a 
password. The password can be supplied manually or it can come from .pgpass:

https://www.postgresql.org/docs/11/libpq-pgpass.html

or an env variable:

https://www.postgresql.org/docs/11/libpq-envars.html


> 
> I should  have thought of this technique, I have used it in the past when I
> had issues with pg_hba.conf file. Something abou IPV6 entries, or lack of
> them ?

Possibly, you can force a IPV4 connection by doing for instance:

-h 127.0.0.1 instead of -h localhost

in the case where localhost is pointing to ::1

> 
> Thanks for the help.
> 


-- 
Adrian Klaver
adrian.klaver@aklaver.com

pgsql-general by date:

Previous
From: Adrian Klaver
Date:
Subject: Re: Remote Connection Help
Next
From: "Peter J. Holzer"
Date:
Subject: Re: Isolation of multiple databse instances provided by a singlepostgres server