Re: Multiple connections over VPN password fail error - Mailing list pgsql-general

so why do I get a password error when i try to connect 2 users over VPN from the same machine to the same host with the following settings in pg_dba.conf - how to find the issue

( user1:user1pwd@<vpnip/database> & user2:user2pwd@<vpnip/database> )

  # IPv4 external connections thru VPN

  #TYPE   DATABASE  USER   ADDRESS  METHOD
      host   all       all      <ip>       scram-sha-256

and whats the best option keeping security in mind

regards

Sanjay

On Fri, Feb 9, 2024 at 1:26 PM Daniel Gustafsson <daniel@yesql.se> wrote:

> On 9 Feb 2024, at 08:41, Sanjay Minni <sanjay.minni@gmail.com> wrote:

> while trying to make multiple connects with different role names to a single database over VPN i faced a password error issue when trying to connect a send user
> It seems I had to change this line in pg_hba.conf and it worked:
>
>    `# IPv4 external connections thru VPN
>     #TYPE   DATABASE  USER   ADDRESS  METHOD
>     host   all       all      <ip>    trust `        <=(from the earlier scram-sha-256)
>
> is this the way and is this correct from a security point of view ?

While correctness and security always needs to be evaluated from the specific
needs of an installation, the odds are pretty good that "No" is the correct
answer here.  To quote the documentation on the "trust" setting:

        "Allow the connection unconditionally.  This method allows anyone that
        can connect to the PostgreSQL database server to login as any
        PostgreSQL user they wish, without the need for a password or any other
        authentication."

I would recommend immediately reverting back to the scram-sha-256 setting and
figuring out why you were unable to login.

--
Daniel Gustafsson