Thread: phpPgAdmin + PostgreSQL + authentication
Howdy:
Not sure if this the most likely of maillists to ask,
but is anyone using phpPgAdmin? I have a few questions
regarding authentication of username / passwords.
I'm running PostgreSQL 7.2.1 on RedHat Linux 7.2 kernel 2.4.7-10.
I have phpPgAdmin 2.4.2 installed.
Basically, I want to know: how to configure phpPgAdmin to
allow all the users that exist in pg_shadow to log in and
be authenticated?
In my pg_hba.conf, I have this:
[snip conf file]
# TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE AUTH_ARGUMENT
local all trust
host all 127.0.0.1 255.255.255.255 md5
host all 16.x.x.1 255.0.0.0 md5
host all 192.168.0.0 255.255.255.0 md5
[/snip conf file]
In the config.inc.php, I have this:
[snip php conf]
// The $cfgServers array starts with $cfgServers[1]. Do not use $cfgServers[0].
// You can disable a server config entry by setting host to ''.
$cfgServers[1]['local'] = false;
$cfgServers[1]['host'] = 'test.localserver.net';
$cfgServers[1]['port'] = '5432';
$cfgServers[1]['adv_auth'] = true;
$cfgServers[1]['user'] = ''; // if you are not using adv_auth,
// enter the username to connect all the time
$cfgServers[1]['password'] = ''; // if you are not using adv_auth and
// a password is required enter a password
$cfgServers[1]['only_db'] = ''; // if set to a db-name, only this db is accessible
[/snip php conf]
As I understand it, shouldn't this allow any user with TCP connection
to access the database? I suppose I am trying to understand if
adv_auth even uses pg_shadow at all, or, does 'local' means that
no authentication is needed, anyone can log in.
The only thing that happens at the index.php page is when I log
in, I get "Wrong username/password. Access denied".
I mean, if I can access the database via command line (psql -U joe -d testdb)
without needing to authenticate myself, shouldn't that mean that phpPgAdmin
allows the same thing? Otherwise, I should be able to use what's in
pg_shadow, right?
I am re-reading the documentation page. Any info / direction is appreciated.
Thanks!
-X
On Tue, 2002-10-08 at 12:21, Johnson, Shaunn wrote: > Not sure if this the most likely of maillists to ask, > but is anyone using phpPgAdmin? I have a few questions > regarding authentication of username / passwords. We are. I love it. > In my pg_hba.conf, I have this: > > [snip conf file] > > # TYPE DATABASE IP_ADDRESS MASK AUTH_TYPE > AUTH_ARGUMENT > local all trust I specifically disallow local, because we're about to switch to kerberos as our auth mechanism. In your case, I think you want md5 here as well. > host all 127.0.0.1 255.255.255.255 md5 > host all 16.x.x.1 255.0.0.0 md5 > host all 192.168.0.0 255.255.255.0 md5 > > [/snip conf file] > > In the config.inc.php, I have this: > > [snip php conf] > > > // The $cfgServers array starts with $cfgServers[1]. Do not use > $cfgServers[0]. > // You can disable a server config entry by setting host to ''. > $cfgServers[1]['local'] = false; > $cfgServers[1]['host'] = 'test.localserver.net'; > $cfgServers[1]['port'] = '5432'; > $cfgServers[1]['adv_auth'] = true; > > $cfgServers[1]['user'] = ''; // if you are not using adv_auth, > // enter the username to > connect all the time > $cfgServers[1]['password'] = ''; // if you are not using adv_auth and > > // a password is > required enter a password > $cfgServers[1]['only_db'] = ''; // if set to a db-name, only this db > is accessible > > > [/snip php conf] > > As I understand it, shouldn't this allow any user with TCP connection > to access the database? I suppose I am trying to understand if > adv_auth even uses pg_shadow at all, or, does 'local' means that > no authentication is needed, anyone can log in. I believe it does. > > The only thing that happens at the index.php page is when I log > in, I get "Wrong username/password. Access denied". Advance auth requires you to have these two entries: $cfgServers[1]['stduser'] = 'auth'; $cfgServers[1]['stdpass'] = 'adv_auth'; Obviously, where stduser and stdpass are specific to your site. What happens is pgadmin needs someway to confirm or deny that a given user can login to the database, and so has to use this "other" user/password to connect. I think thats whats happening, anyway. -- Hunter Matthews Unix / Network Administrator Office: BioScience 145/244 Duke Univ. Biology Department Key: F0F88438 / FFB5 34C0 B350 99A4 BB02 9779 A5DB 8B09 F0F8 8438 Never take candy from strangers. Especially on the internet.