Thread: I dont understand host connections

I dont understand host connections

From
Thad Humphries
Date:
I am trying a host connection but to no avail.  In postgresql.conf I
have tcpip_socket = true and port = 5432.  In pq_hda.conf I have

host     all      0.0.0.0     0.0.0.0      md5       optix.conf

with two users in optix.conf.  Efforts to log in fail:

$ psql -U thad optix
psql: FATAL 1:  No pg_hba.conf entry for host localhost, user thad,
database optix

But if I put

local      all                             md5      optix.conf

in pg_hda.conf and restart PostgreSQL, I'm prompted for a password and
can log in.

I'm running PostgreSQL 7.2.2. on an RedHat 6.2 machine.
--
------------------------------------------------------------------------
Thad Humphries              "...no religious test shall ever be required
Web Development Manager      as a qualification to any office or public
Phone: 540/675-3015, x225    trust under the United States." -Article VI


Re: I dont understand host connections

From
ghaverla@freenet.edmonton.ab.ca
Date:
On 7 Oct 2002, Thad Humphries wrote:

> I am trying a host connection but to no avail.  In postgresql.conf I
> have tcpip_socket = true and port = 5432.  In pq_hda.conf I have
>
> host     all      0.0.0.0     0.0.0.0      md5       optix.conf

> local      all                             md5      optix.conf
>
> in pg_hda.conf and restart PostgreSQL, I'm prompted for a password and
> can log in.

First off, you have a typo.  The file is pg_hba.conf (PostGresql_
HostBasedAccess.CONFiguration).  But I think you really are using
the right file.

(What follows is how I justify this stuff to myself, and may
not be literally correct.)

It is not unusual to have multiple entries in pg_hba.conf.  Like
a lot of other access configuration files (say /etc/hosts.allow),
postgres traverses the rules in order, looking for a match.  I
believe the default for falling off the end of the rules without
a match is to reject the connection.

Now, the "local" connection is used to indicate connections
to postgres over UNIX sockets, not over a TCP/IP connection.
It is basically the safest connection type, as the calling
user/process must be local.

Every machine with an IP stack is going to have 127.0.0.1
set up as a local TCP/IP connection.  If, in addition you
are on a LAN, you may also have a local IP (or multiple
IPs) which correspond to the various interfaces on the
machine.  So, a local entry may in fact be composed of
something like:

local  all                                md5  password_file
host   all  127.0.0.1   255.255.255.255   md5  password_file
host   all  192.168.0.1 255.255.255.255   md5  password_file

So, local processes have an option of connecting by UNIX sockets,
connections to localhost and connections to the IP of one of
the NIC interfaces (here assumed to be 192.168.0.1).

After you have listed your local connections, you may want to
go on to specify non-local connections.  Such as accepting
connections from other machines on your LAN, or ignoring
requests from some troublesome machine that tries to connect
(and you aren't blocking by firewall).

You may want to put an explicit reject last.

host  all  0.0.0.0  0.0.0.0  reject

I hope the above is close to being literally correct and useful.

Gord