Thread: authentication question

authentication question

From
Cath Lawrence
Date:
Hi,

Not sure if this is a novice or a PHP question; so I sent it to both.

Anyway, I can't seem to deny access to my database through the web
server/PHP connection...

In my  pg_hba.conf, at the top, before getting to the real databases, I
have:
   # temporary, cath testing access on example
  local   temp     all                          reject
  host    temp     all           127.0.0.1       255.255.255.255  reject
  host    temp  all        0.0.0.0         255.255.255.255  reject

Command line psql won't let me connect to temp -  so far so good.
But when I use PHP's pg_connect with host, dbname, username, password
specified, it lets me through. It does fail non-users or bad passwords
- but all existing postgresql users seem to be able to make the
connection regardless.

What have I missed? Ultimately, I am trying to set this up so only
specific known users can connect to my database from particular hosts.

thanks for any help,
regards
Cath
Cath Lawrence,                       Cath.Lawrence@anu.edu.au
Senior Scientific Programmer,  Centre for Bioinformation Science,
John Curtin School of Medical Research (room 4088)
Australian National University,  Canberra ACT 0200
ph: (02) 61257959   mobile: 0421-902694   fax: (02) 61252595


Re: [PHP] authentication question

From
Robby Russell
Date:
Cath Lawrence wrote:

> Hi,
>
> Not sure if this is a novice or a PHP question; so I sent it to both.
>
> Anyway, I can't seem to deny access to my database through the web
> server/PHP connection...
>
> In my  pg_hba.conf, at the top, before getting to the real databases,
> I have:
>   # temporary, cath testing access on example
>  local   temp     all                          reject
>  host    temp     all           127.0.0.1       255.255.255.255  reject
>  host    temp  all        0.0.0.0         255.255.255.255  reject
>
> Command line psql won't let me connect to temp -  so far so good.
> But when I use PHP's pg_connect with host, dbname, username, password
> specified, it lets me through. It does fail non-users or bad passwords
> - but all existing postgresql users seem to be able to make the
> connection regardless.
>
> What have I missed? Ultimately, I am trying to set this up so only
> specific known users can connect to my database from particular hosts.


Cath,

I'm not sure if this will help you or not, but try adding this to the
bottom (seen this as a common practice)

# reject all connections from all hosts not granted above
host    all             0.0.0.0       0.0.0.0      reject

-Robby

--

Robby Russell,  Sr. Administrator / Lead Programmer
Command Prompt, Inc.
rrussell@commandprompt.com
http://www.commandprompt.com (503) 222.2783





Re: [PHP] authentication question

From
Tom Lane
Date:
Robby Russell <rrussell@commandprompt.com> writes:
> I'm not sure if this will help you or not, but try adding this to the
> bottom (seen this as a common practice)

> # reject all connections from all hosts not granted above
> host    all             0.0.0.0       0.0.0.0      reject

This is unnecessary --- if the postmaster falls off the end of the file
without a match, it defaults to "reject".  Nothing wrong with having
such a line for documentation purposes, but it shouldn't change the
behavior one bit.

My guess about Cath's original problem is that the lines she showed us
only controlled attempted connections to the "temp" database ... not to
any other database.  If she had more lines later in the file, those
would be consulted for any connection to a database not named "temp".

Another common mistake (been burnt this way more than once) is to forget
to SIGHUP the postmaster (eg, pg_ctl reload) after editing the config
file.  You can get *really* confused if you are trying different things
and sometimes you remember to SIGHUP and sometimes you don't.

            regards, tom lane