Postgres Pro
Downloads
Home   >   mailing lists

Thread: ident inconsistency

ident inconsistency

From
ron.peterson@yellowbank.com
Date:
ident authentication appears to work inconsistently between debian
stable (7.2.1) and the 7.2.3 postgresql I installed from source on a Red
Hat 7.3 machine.

Debian doesn't require I run an ident server.  My pg_hba.conf contains:

local all ident sameuser

On the installation I compiled myself, that doesn't work.  Instead I
must run an ident server, and do:

host all 127.0.0.1 0.0.0.0 ident sameuser

(Additionally, the RH7.3 pidentd RPM returns an encrypted response by
default.  That needs to be turned off by editing /etc/pidentd.conf)

I know that at one time debian provided a 'peer' authentication
mechanism.  I thought that had been absorbed in the main distribution,
and renamed 'ident' to prevent confusion.

Personally, I prefer debian's operation.  The only reason I'd use ident
authentication would be to authenticate on the local machine - in which
case running an ident server and connecting via localhost should be
unneccessary, no?

In any case, I think it would be nice if the config files worked in a
consistent fashion - either by adopting a single unified approach, or by
re-introducing the 'peer' keyword.

--
Ron Peterson                   -o)
87 Taylor Street               /\\
Granby, MA  01033             _\_v
https://www.yellowbank.com/   ----

Re: ident inconsistency

From
Oliver Elphick
Date:
On Thu, 2003-01-02 at 18:28, ron.peterson@yellowbank.com wrote:
> ident authentication appears to work inconsistently between debian
> stable (7.2.1) and the 7.2.3 postgresql I installed from source on a Red
> Hat 7.3 machine.
>
> Debian doesn't require I run an ident server.  My pg_hba.conf contains:
>
> local all ident sameuser
>
> On the installation I compiled myself, that doesn't work.  Instead I
> must run an ident server, and do:
>
> host all 127.0.0.1 0.0.0.0 ident sameuser

I suspect the difference arises in the way you are connecting.

Ident authentication for local connections is not the same as ident
authentication for a TCP/IP connection.  They do the same jobs but in
different was (which is why I called local authentication 'peer' when I
first wrote it for Debian.)

local authentication does not use an ident server at all.  It gets its
information from the Unix socket; so you are actually talking about two
completely different things.  If you need a host line to connect, you
must be doing a TCP/IP connection to localhost.  If the connection is
attempted with no host at all, it should use a local Unix socket
connection, and then `local all ident sameuser' should work.

If you are trying a local connection with ident sameuser on your
locally-compiled version and that does not work, the likely cause is
that at build time the system thought that Unix sockets could not
support the passing of credentials.  The relevant macro is SO_PEERCRED,
which in my (Debian) system is defined in /usr/include/asm/socket.h
But it doesn't seem very likely that this should be wrong.

--
Oliver Elphick                                Oliver.Elphick@lfix.co.uk
Isle of Wight, UK                             http://www.lfix.co.uk/oliver
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839  932A 614D 4C34 3E1D 0C1C
                 ========================================
     "I love them that love me; and those that seek me early
      shall find me."                Proverbs 8:17