Thread: Question on ident authorization

Question on ident authorization

From
Kenny H Klatt
Date:
Hello:Not sure of where to post this, it's not a bug, more of an 
application note..  Using linux and iptables as a firewall, requests for 
services are redirected to the machines providing those services, including
postgress.  This approach has been in place for over a year, and includes
oracle, postgress, and apache web services.  It is not without its issues,
and security is greatly enhanced.  On a seperate machine behind the 
firewall, the postgress 7.2.1 release was installed for testing and migration.
       Inital testing worked well.  When it was decided to have applications 
normally directed at production try the development instance, ident 
authenication failed.   All other tests passed, including hostssl 
connections.  When the firewall redirects traffic to its intended service
provider using the same port postgress is using ident works.  When the 
ports are not the same, ident authenication fails.  User/password and hostssl 
connections continue to work though.
I do not know the interchange of communication traffic when
ident authenication is used, and postgress is the only service currently 
in use that provides ident authenication.  Would anyone know if the ports
need to be identical for ident to function, or is it a definition of how
ident works for postgress?

Ken Klatt


Re: Question on ident authorization

From
Peter Eisentraut
Date:
Kenny H Klatt writes:

>         Inital testing worked well.  When it was decided to have applications
> normally directed at production try the development instance, ident
> authenication failed.   All other tests passed, including hostssl
> connections.  When the firewall redirects traffic to its intended service
> provider using the same port postgress is using ident works.  When the
> ports are not the same, ident authenication fails.  User/password and hostssl
> connections continue to work though.

I can't quite picture your setup, but two points:  One, the PostgreSQL
server attempts ident authentication over TCP port 113.  If there's no
ident server on that port on the client side then authentication fails.
Two, if your firewall is redirecting ident traffic to a dedicated service
provider host, then have it stop doing that because that's not how ident
is supposed to work (or you will have to put in a lot of extra effort to
make it work).

-- 
Peter Eisentraut   peter_e@gmx.net