Thread: pg_hba.conf confusion
Hi, I recently experienced a weird bug with postgresql. I am running: postgresql-7.2.1-8 postgresql-server-7.2.1-5 I was trying to connect to a database on a my machine from another machine. Initially, my pg_hba.conf looked like: host all 127.0.0.1 0.0.0.0 ident sameuser host all 192.168.1.2 255.255.255.128 password where my machine is 192.168.1.1 and the client is 192.168.1.2. Connecting using psql -h 192.168.1.1 failed stating: FATAL 1: IDENT authentification failed for user 'me' Then I changed the order of the lines in my configuration file: host all 192.168.1.2 255.255.255.128 password host all 127.0.0.1 0.0.0.0 ident sameuser Now the connection worked without problems. In the first case, it seems to be trying to use IDENT authentification, even though that should only apply to localhost. David K.
Hi,
On Mon, 17 Jun 2002 at 20:47, David M. Kaplan wrote:
> host all 127.0.0.1 0.0.0.0 ident sameuser
If you want this entry to match only the loopback device, the mask has
to be 255.255.255.255 instead of 0.0.0.0. A mask of 0.0.0.0 causes
*all* IP addresses to match this line.
cu
Reinhard
On Tue, 18 Jun 2002 at 09:28, David M. Kaplan wrote:
> Thanks, that did fix that problem. Now I have another one. The line:
>
> host all 192.168.1.2 255.255.255.128 password
>
> matches all ip addresses of the form 192.168.1.x. If I change the mask
> to 255.255.255.255 it no longer matches all addresses.
I wasn't talking about that entry. Your mask here was correct.
> Although this fixes the problem, it seems strange to me that it
> works this way. Basically, if mask is something other than
> 255.255.255.255, you might as well put 0's in your id address.
> This doesnt seem to be how subnet masks normally work and it seems
> redundant to me.
>
> Is there something I don't understand?
It seems so, or I don't understand what you mean.
Let me repeat your initial configuration:
host all 127.0.0.1 0.0.0.0 ident sameuser
host all 192.168.1.2 255.255.255.128 password
As the entries in pg_hba.conf are processed on a top-to-bottom,
first-match-wins basis, the first entry here catches any connection
attempt, because the 0.0.0.0 subnet mask covers the whole IPv4 address
space.
If you want an entry to match a single IP address only (e.g. the
loopback address), it has to have all bits 1 in the mask:
host all 127.0.0.1 255.255.255.255 ident sameuser
host all 192.168.1.2 255.255.255.128 password
It would even work with
host all 127.0.0.1 255.0.0.0 ident sameuser
host all 192.168.1.2 255.255.255.128 password
because the whole 127.0.0.0/8 network is reserved for the loopback
device. If you now connect e.g. from 192.168.1.1 PostgreSQL evaluates
(127.0.0.1 & 255.0.0.0) == (192.168.1.1 & 255.0.0.0)
127.0.0.0 == 192.0.0.0
... which is obviously false. For the second entry, the equation looks
like this:
(192.168.1.2 & 255.255.255.128) == (192.168.1.1 & 255.255.255.128)
192.168.1.0 == 192.168.1.0
... which is true, and therefore the second entry is being used.
If now the mask in the first entry is 0.0.0.0, any IP adress matches:
(127.0.0.1 & 0.0.0.0) == (192.168.1.1 & 0.0.0.0)
0.0.0.0 == 0.0.0.0
... and therefore the second entry is never being checked.
cu
Reinhard
David M. Kaplan wrote: > Hi, > > I recently experienced a weird bug with postgresql. I am running: > > postgresql-7.2.1-8 > postgresql-server-7.2.1-5 > > I was trying to connect to a database on a my machine from another > machine. Initially, my pg_hba.conf looked like: > > host all 127.0.0.1 0.0.0.0 ident sameuser > host all 192.168.1.2 255.255.255.128 password > > where my machine is 192.168.1.1 and the client is 192.168.1.2. > Connecting using psql -h 192.168.1.1 failed stating: > > FATAL 1: IDENT authentification failed for user 'me' > > Then I changed the order of the lines in my configuration file: > > host all 192.168.1.2 255.255.255.128 password > host all 127.0.0.1 0.0.0.0 ident sameuser > > Now the connection worked without problems. In the first case, it seems > to be trying to use IDENT authentification, even though that should only > apply to localhost. ident only socket authentication when you connection type is 'local', not 'host'. Even though you said 127.0.0.1, that is tcp to localhost, not socket authentication. I think you wanted: local all ident sameuser host all 192.168.1.2 255.255.255.128 password -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026
Thanks, that did fix that problem. Now I have another one. The line: host all 192.168.1.2 255.255.255.128 password matches all ip addresses of the form 192.168.1.x. If I change the mask to 255.255.255.255 it no longer matches all addresses. Although this fixes the problem, it seems strange to me that it works this way. Basically, if mask is something other than 255.255.255.255, you might as well put 0's in your id address. This doesnt seem to be how subnet masks normally work and it seems redundant to me. Is there something I don't understand? Thanks, David Reinhard Max wrote: >Hi, > >On Mon, 17 Jun 2002 at 20:47, David M. Kaplan wrote: > >>host all 127.0.0.1 0.0.0.0 ident sameuser >> > >If you want this entry to match only the loopback device, the mask has >to be 255.255.255.255 instead of 0.0.0.0. A mask of 0.0.0.0 causes >*all* IP addresses to match this line. > >cu > Reinhard > >
David M. Kaplan wrote: > Thanks, that did fix that problem. Now I have another one. The line: > > host all 192.168.1.2 255.255.255.128 password > > matches all ip addresses of the form 192.168.1.x. If I change the mask > to 255.255.255.255 it no longer matches all addresses. Although this > fixes the problem, it seems strange to me that it works this way. > Basically, if mask is something other than 255.255.255.255, you might > as well put 0's in your id address. This doesnt seem to be how subnet > masks normally work and it seems redundant to me. > > Is there something I don't understand? A netmask of 255.255.255.128 means ignore the bottom seven bits of the address. You are right they may as well be zero so in the case above 192.168.1.2 and 192.168.1.0 would behave the same. Is there something else you wanted it to do? -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000 + If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania 19026