Thread: Questions from a Newbie
Hi everyone! I really am a newbie to Postgres, and I have few questions... mainly security orientated, which I'm hoping I can get a definitive answer on. 1) listen_addresses in postgresql.sql - The documentation states that; "...The value takes the form of a comma-separated list of host names and/or numeric IP addresses. The special entry * corresponds to all available IP interfaces. If the list is empty, the server does not listen on any IP interface at all, in which case only Unix-domain sockets can be used to connect to it. The default value is localhost, which allows only local "loopback" connections to be made. This parameter can only be set at server start." I'd like to be able to allow all users on a particular subnet to connect to the server using PGAdminIII and originally set the variable to: listen_addresses = 'localhost, 192.168.1.*' This didn't allow the server to start, so I assume this is incorrect. Is there any way that this can be done? 2) How do you set the default 'postgres' Login Role to have a password? I did what I thought was the correct way in PgAdmin to assign it a password, and resultant code in the SQL pane does seem like it has an MD5 password assigned to it, but our security scanning software still assures me that, "Your PostgreSQL database is not password protected. We could log in as the user 'postgres'." Any help on either or both questions would be greatly appreciated! Thanks John
--- John Gardner <john.gardner@tagish.co.uk> wrote: > 1) listen_addresses in postgresql.sql - The documentation states that; > > "...The value takes the form of a comma-separated list of host names > and/or numeric IP addresses. The special entry * corresponds to all > available IP interfaces. If the list is empty, the server does not > listen on any IP interface at all, in which case only Unix-domain > sockets can be used to connect to it. The default value is localhost, > which allows only local "loopback" connections to be made. This > parameter can only be set at server start." I am not really sure about the full used of the listen_addresses variable in the postgresql.conf file. I just leave it as *. The pg_hba.conf file is what I use to specify the security that I want. It gives you the ability to specify exactly who can connect and how the connections will be authenticated. this link describes the conf file and its use: http://www.postgresql.org/docs/8.2/interactive/auth-pg-hba-conf.html > 2) How do you set the default 'postgres' Login Role to have a password? > I did what I thought was the correct way in PgAdmin to assign it a > password, and resultant code in the SQL pane does seem like it has an > MD5 password assigned to it, but our security scanning software still > assures me that, "Your PostgreSQL database is not password protected. > We could log in as the user 'postgres'." > The ability to log into as user postgres is also dictated by the setting in the pg_hba.conf. If you change the settings, you will probably get the effect that you want. Regards, Richard Broersma Jr.
John Gardner wrote: > Hi everyone! > > I really am a newbie to Postgres, and I have few questions... mainly > security orientated, which I'm hoping I can get a definitive answer on. > > 1) listen_addresses in postgresql.sql - The documentation states that; > > "...The value takes the form of a comma-separated list of host names > and/or numeric IP addresses. The special entry * corresponds to all > available IP interfaces. If the list is empty, the server does not > listen on any IP interface at all, in which case only Unix-domain > sockets can be used to connect to it. The default value is localhost, > which allows only local "loopback" connections to be made. This > parameter can only be set at server start." > > I'd like to be able to allow all users on a particular subnet to connect > to the server using PGAdminIII and originally set the variable to: > > listen_addresses = 'localhost, 192.168.1.*' Listen address is the ip address of the server. Entering * means it will listen on any and all ip addresses assigned to all network interfaces on the server. Unless you have multiple network cards then * or localhost will be fine, otherwise you want the ip address of the machine running postgresql eg. 192.168.1.250 The security setting you are interested in is located in the pg_hba.conf file - this file determines who is allowed to connect to postgresql and from what machines. You will most likely want a line like - host all all 192.168.1.0/24 md5 The file itself contains enough info or you can read it in the docs. > This didn't allow the server to start, so I assume this is incorrect. > Is there any way that this can be done? > > 2) How do you set the default 'postgres' Login Role to have a password? > I did what I thought was the correct way in PgAdmin to assign it a > password, and resultant code in the SQL pane does seem like it has an > MD5 password assigned to it, but our security scanning software still > assures me that, "Your PostgreSQL database is not password protected. > We could log in as the user 'postgres'." > You may have an entry in pg_hba.conf that allows non-password logins. From the above example I gave the md5 at the end means the client can use md5 password encryption to login - if this is set to trust then a password is not required. This may be on the line with 127.0.0.1 -- Shane Ambler pgSQL@Sheeky.Biz Get Sheeky @ http://Sheeky.Biz