Thread: IDENT and pg_hda.conf

IDENT and pg_hda.conf

From
Susemail
Date:
Is this good advice?

IDENT Authentication failed for user "postgres"

This error has everything to do with the way distros set up access rights for
postgres. They are way too restrictive and leave you wondering what to do
next.

Do yourself a favour and change authentication type in pg_hba.conf to

 local           all              trust

until you have figured out what all this stuff in pg_hba.conf does. Read about
the different authentication settings and change them as you see fit. It is
all described in detail in pg_hba.conf

In any case I don't have a pg_hba.conf file:

:~> locate pg_hba.conf
/usr/share/postgresql/pg_hba.conf.sample
:~>

Should I have one?  If I should, where does it belong?
Thanks,
Jerome


Re: IDENT and pg_hda.conf

From
Paul Thomas
Date:
On 30/01/2004 09:39 Susemail wrote:

> [snip]
> In any case I don't have a pg_hba.conf file:

You should have, unless you haven't done an initdb...

>
> :~> locate pg_hba.conf
> /usr/share/postgresql/pg_hba.conf.sample
> :~>
>
> Should I have one?  If I should, where does it belong?

It's in PostgreSQL's data dir. Obviously this may differ from distro to
distro. Probably what is happening is that you running locate as regular
user which won't have read access to that directoty (it's owned by user
postgres).

--
Paul Thomas
+------------------------------+---------------------------------------------+
| Thomas Micro Systems Limited | Software Solutions for the Smaller
Business |
| Computer Consultants         |
http://www.thomas-micro-systems-ltd.co.uk   |
+------------------------------+---------------------------------------------+

Re: IDENT and pg_hda.conf

From
Bruno Wolff III
Date:
On Thu, Jan 29, 2004 at 23:39:23 -1000,
  Susemail <susemail@hawaii.rr.com> wrote:
> Is this good advice?
>
> IDENT Authentication failed for user "postgres"
>
> This error has everything to do with the way distros set up access rights for
> postgres. They are way too restrictive and leave you wondering what to do
> next.
>
> Do yourself a favour and change authentication type in pg_hba.conf to
>
>  local           all              trust
>
> until you have figured out what all this stuff in pg_hba.conf does. Read about
> the different authentication settings and change them as you see fit. It is
> all described in detail in pg_hba.conf

If only trusted users have access to the server, this is a reasonable way
to start off while learning things. Generally using ident for local access
is the way to go unless you are using OS where it doesn't work.

Re: IDENT and pg_hda.conf

From
Jerome Lyles
Date:
On Friday 30 January 2004 01:37 am, Paul Thomas wrote:
> On 30/01/2004 09:39 Susemail wrote:
> > [snip]
> > In any case I don't have a pg_hba.conf file:
>
> You should have, unless you haven't done an initdb...
>
True, I hadn't done an initdb:

postgres@linux:/home/adriel> /usr/bin/initdb -D /usr/local/pgsql/data
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale en_US.

fixing permissions on existing directory /usr/local/pgsql/data... ok
creating directory /usr/local/pgsql/data/base... ok
creating directory /usr/local/pgsql/data/global... ok
creating directory /usr/local/pgsql/data/pg_xlog... ok
creating directory /usr/local/pgsql/data/pg_clog... ok
selecting default max_connections... 100
selecting default shared_buffers... 1000
creating configuration files... ok
creating template1 database in /usr/local/pgsql/data/base/1... ok
initializing pg_shadow... ok
enabling unlimited row size for system tables... ok
initializing pg_depend... ok
creating system views... ok
loading pg_description... ok
creating conversions... ok
setting privileges on built-in objects... ok
creating information schema... ok
vacuuming database template1... ok
copying template1 to template0... ok

Success. You can now start the database server using:

Still not able to authenticate:

postgres@linux:/home/adriel> /usr/bin/postmaster -D /usr/local/pgsql/data
LOG:  database system was shut down at 2004-01-30 08:47:05 HST
LOG:  checkpoint record is at 0/9B1058
LOG:  redo record is at 0/9B1058; undo record is at 0/0; shutdown TRUE
LOG:  next transaction ID: 534; next OID: 17142
LOG:  database system is ready
FATAL:  IDENT authentication failed for user "adriel"
FATAL:  IDENT authentication failed for user "adriel"
FATAL:  IDENT authentication failed for user "postgres"
FATAL:  IDENT authentication failed for user "postgres"

My pg_hba.conf file configuration:  Is it correct?

# TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD

local   all         all                                             trust
# IPv4-style local connections:
#host    all         all         127.0.0.1         255.255.255.255   trust
# IPv6-style local connections:
#host    all         all         ::1
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff        trust
#local    all         all                                            ident
sameuser

This is my user list:

:~> psql -l
        List of databases
   Name    |  Owner   | Encoding
-----------+----------+-----------
 mydb      | postgres | SQL_ASCII
 mydb1     | adriel   | SQL_ASCII
 mydb2     | postgres | SQL_ASCII
 template0 | postgres | SQL_ASCII
 template1 | postgres | SQL_ASCII
 test      | postgres | SQL_ASCII
(6 rows)


So...what am I still doing wrong?
Thanks,
Jerome



Re: IDENT and pg_hda.conf

From
"Gregory S. Williamson"
Date:
Not sure if I am following your current difficulty, but if you want users on another server to conenct you'll need to
makesure your postmaster was started with the "-i" option (to allow TCP/IP connections) and edit the pg_hba.conffile to
addthe user name, db, IP address and sub mask, for example: 

host    all         all         12.4.12.0       255.255.255.0   trust

This line will let anybody from our 12.4.12 network connect to this instance of postgres, to any database.

You'll need to restart postgres after changing thefile to make it see the changes.

HTH,

Greg Williamson
DBA
GlobeXplorer LLC

-----Original Message-----
From:    Jerome Lyles [mailto:susemail@hawaii.rr.com]
Sent:    Fri 1/30/2004 12:23 PM
To:    pgsql-general@postgresql.org
Cc:
Subject:    Re: [GENERAL] IDENT and pg_hda.conf

On Friday 30 January 2004 01:37 am, Paul Thomas wrote:
> On 30/01/2004 09:39 Susemail wrote:
> > [snip]
> > In any case I don't have a pg_hba.conf file:
>
> You should have, unless you haven't done an initdb...
>
True, I hadn't done an initdb:

postgres@linux:/home/adriel> /usr/bin/initdb -D /usr/local/pgsql/data
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale en_US.

fixing permissions on existing directory /usr/local/pgsql/data... ok
creating directory /usr/local/pgsql/data/base... ok
creating directory /usr/local/pgsql/data/global... ok
creating directory /usr/local/pgsql/data/pg_xlog... ok
creating directory /usr/local/pgsql/data/pg_clog... ok
selecting default max_connections... 100
selecting default shared_buffers... 1000
creating configuration files... ok
creating template1 database in /usr/local/pgsql/data/base/1... ok
initializing pg_shadow... ok
enabling unlimited row size for system tables... ok
initializing pg_depend... ok
creating system views... ok
loading pg_description... ok
creating conversions... ok
setting privileges on built-in objects... ok
creating information schema... ok
vacuuming database template1... ok
copying template1 to template0... ok

Success. You can now start the database server using:

Still not able to authenticate:

postgres@linux:/home/adriel> /usr/bin/postmaster -D /usr/local/pgsql/data
LOG:  database system was shut down at 2004-01-30 08:47:05 HST
LOG:  checkpoint record is at 0/9B1058
LOG:  redo record is at 0/9B1058; undo record is at 0/0; shutdown TRUE
LOG:  next transaction ID: 534; next OID: 17142
LOG:  database system is ready
FATAL:  IDENT authentication failed for user "adriel"
FATAL:  IDENT authentication failed for user "adriel"
FATAL:  IDENT authentication failed for user "postgres"
FATAL:  IDENT authentication failed for user "postgres"

My pg_hba.conf file configuration:  Is it correct?

# TYPE  DATABASE    USER        IP-ADDRESS        IP-MASK           METHOD

local   all         all                                             trust
# IPv4-style local connections:
#host    all         all         127.0.0.1         255.255.255.255   trust
# IPv6-style local connections:
#host    all         all         ::1
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff        trust
#local    all         all                                            ident
sameuser

This is my user list:

:~> psql -l
        List of databases
   Name    |  Owner   | Encoding
-----------+----------+-----------
 mydb      | postgres | SQL_ASCII
 mydb1     | adriel   | SQL_ASCII
 mydb2     | postgres | SQL_ASCII
 template0 | postgres | SQL_ASCII
 template1 | postgres | SQL_ASCII
 test      | postgres | SQL_ASCII
(6 rows)


So...what am I still doing wrong?
Thanks,
Jerome



---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org



Re: IDENT and pg_hda.conf

From
listas@lozano.eti.br
Date:
Hi,

> host    all         all         12.4.12.0       255.255.255.0   trust

This looks to me a bad idea. Anyone will be able to connect as any user they
wish without providing a password. Better change "trust" to "md5" and assing
password to the user (alter user password 'secret')

[]s, Fernando Lozano

Re: IDENT and pg_hda.conf[SOLVED]

From
Jerome Lyles
Date:
On Friday 30 January 2004 10:23 am, Jerome Lyles wrote:
> On Friday 30 January 2004 01:37 am, Paul Thomas wrote:
> > On 30/01/2004 09:39 Susemail wrote:
> > > [snip]
> > > In any case I don't have a pg_hba.conf file:
> >
> > You should have, unless you haven't done an initdb...
>
> True, I hadn't done an initdb:
>

>
> Still not able to authenticate:
>
> FATAL:  IDENT authentication failed for user "adriel"
> FATAL:  IDENT authentication failed for user "postgres"
>
The problem turned out to be two copies of pg_hba.  One in
"/usr/local/pgsql/data/pg_hba.conf" the other in
"/var/lib/pgsql/data/pg_hba.conf"
"/var/lib/pgsql/data/pg_hba.conf" is in the Root Directory of postgres on my
system so that's the one the system was using.  I thought the system was
using the other one: "/usr/local/pgsql/data/pg_hba.conf", the only one I knew
about.
Thank you for helping me figure it out,
Jerome


Re: IDENT and pg_hda.conf

From
Jerome Lyles
Date:
On Friday 30 January 2004 02:11 pm, Paul Thomas wrote:
> On 30/01/2004 20:23 Jerome Lyles wrote:
> > On Friday 30 January 2004 01:37 am, Paul Thomas wrote:
> > > On 30/01/2004 09:39 Susemail wrote:
> > > > [snip]
> > > > In any case I don't have a pg_hba.conf file:
> > >
> > > You should have, unless you haven't done an initdb...
> >
> > True, I hadn't done an initdb:

> > So...what am I still doing wrong?
> > Thanks,
> > Jerome
>
> You've got me really confused here. If you hadn't done an initdb and
> couldn't connect to the postmaster how come you managed to create several
> databases?

I did solve the problem, turns out there were two copies of pg_hba.conf.
As to how this was possible I don't know.  If I did it earlier whatever I did
left "/usr/local/pgsql/data/" empty.


Re: IDENT and pg_hda.conf

From
"Gregory S. Williamson"
Date:
True enough in the "real" world ... this is taken from a very "hidden" server used for testing ideas ... not anything
exposedto the world. 

GSW

-----Original Message-----
From:    listas@lozano.eti.br [mailto:listas@lozano.eti.br]
Sent:    Fri 1/30/2004 4:13 PM
To:    Gregory S. Williamson; Jerome Lyles; pgsql-general@postgresql.org
Cc:
Subject:    Re: [GENERAL] IDENT and pg_hda.conf

Hi,

> host    all         all         12.4.12.0       255.255.255.0   trust

This looks to me a bad idea. Anyone will be able to connect as any user they
wish without providing a password. Better change "trust" to "md5" and assing
password to the user (alter user password 'secret')

[]s, Fernando Lozano




Re: IDENT and pg_hda.conf

From
listas@lozano.eti.br
Date:
Hi,

> > host    all         all         12.4.12.0       255.255.255.0   trust
>
> This looks to me a bad idea. Anyone will be able to connect as any user they
> wish without providing a password.
>
> True enough in the "real" world ... this is taken from a very "hidden" server
used for testing
> ideas ... not anything exposed to the world.

You mean a islated testing enviroment, right? :-) Remember most successfull
attacks comes from insiders, not outsiders, of the company.

[]s, Fernando Lozano