Thread: ident authentication not working over loopback adapter
This is a bit backwards. ident authentication is working for me over Unix domain sockets, but it isn't working over the loopback adapter. Here is my /var/lib/pgsql/data/pg_hba.conf: # Allow local and loopback users to connect to self-named databases # local sameuser ident sameuser host sameuser 127.0.0.1 255.255.255.255 ident sameuser # Allow password-based authentication for local users, loopback, and # local subnet. # local all md5 host all 127.0.0.1 255.255.255.255 md5 host all 192.168.1.0 255.255.255.0 md5 I have installed the identd daemon, and 'nmap localhost' confirms that it is listening on port 113. Here is an example session. (I have created a PostgreSQL user named 'pilcher' and a database of the same name.) [pilcher@home pilcher]$ psql Welcome to psql, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help on internal slash commands \g or terminate with semicolon to execute query \q to quit pilcher=> \q [pilcher@home pilcher]$ psql -h localhost psql: FATAL 1: IDENT authentication failed for user "pilcher" Anyone have any idea what's going on? Notes: This is Red Hat Linux 8.0. Password authentication works over Unix domain sockets or the loopback adapter. Thanks! -- ======================================================================== Ian Pilcher pilchman@attbi.com ========================================================================
Ian Pilcher <pilchman@attbi.com> writes: > This is a bit backwards. ident authentication is working for me over > Unix domain sockets, but it isn't working over the loopback adapter. > Notes: This is Red Hat Linux 8.0. Password authentication works over > Unix domain sockets or the loopback adapter. Check to see if ident traffic is being filtered by kernel-level packet filtering. IIRC, RHL ships with mighty tight packet filtering, even on the loopback connection (which is a tad silly, but...). One easy way to investigate this is to see if you can telnet to the ident daemon: $ telnet localhost 113 <--- I typed this Trying... Connected to localhost.sss.pgh.pa.us. Escape character is '^]'. 1 2 <--- and this, which is junk, 1 , 0 : ERROR : INVALID-PORT <--- so the ident daemon answered this Connection closed by foreign host. $ If you get a timeout or "connection refused" or anything except actual communication with the ident daemon, you've got a filtering problem. regards, tom lane
Tom Lane wrote: > > Check to see if ident traffic is being filtered by kernel-level packet > filtering. IIRC, RHL ships with mighty tight packet filtering, even on > the loopback connection (which is a tad silly, but...). One easy way to > investigate this is to see if you can telnet to the ident daemon: > Actually, it seems that Red Hat doesn't filter the loopback adapter. (In fact, it seems that connections to local interfaces don't get filtered either, but remote connections to the same interfaces do get filtered.) I have tracked the problem down to the following line in /etc/identd.conf: result:encrypt = yes Changing this to 'no' makes things work as expected, so PostgreSQL obviously couldn't understand the encrypted response. Anyone have any idea if this is a problem with PostgreSQL, a problem with the ident daemon, or just "broken as designed"? Thanks! -- ======================================================================== Ian Pilcher pilchman@attbi.com ========================================================================