Обсуждение: ident authentication over tcp
Hi all, I'm having some trouble configuring ident authentication for TCP connections. I can get it to work fine for local connections, but I can't Local connection: $ psql postgres ... postgres=> Server Log: Dec 9 11:06:59 mitchell postgres[27482]: [4-1] LOG: connection received: host=[local] Dec 9 11:06:59 mitchell postgres[27482]: [5-1] LOG: connection authorized: user=koczan database=postgres Dec 9 11:07:03 mitchell postgres[27482]: [6-1] LOG: disconnection: session time: 0:00:04.370 user=koczan database=postgres host=[local] Remote connection to localhost: $ psql -h localhost postgres psql: FATAL: no pg_hba.conf entry for host "127.0.0.1", user "koczan", database "postgres", SSL off Server log: Dec 9 11:07:06 mitchell postgres[27494]: [4-1] LOG: connection received: host=localhost port=41434 Dec 9 11:07:06 mitchell postgres[27494]: [5-1] LOG: could not connect to Ident server at address "127.0.0.1", port 113: Connection refused Dec 9 11:07:06 mitchell postgres[27494]: [6-1] FATAL: Ident authentication failed for user "koczan" Dec 9 11:07:06 mitchell postgres[27495]: [4-1] LOG: connection received: host=localhost port=41435 Dec 9 11:07:06 mitchell postgres[27495]: [5-1] FATAL: no pg_hba.conf entry for host "127.0.0.1", user "koczan", database "postgres", SSL off My pg_hba.conf file looks like this: # TYPE DATABASE USER CIDR-ADDRESS METHOD local all koczan ident sameuser hostssl all koczan 127.0.0.1/32 ident sameuser I'm running Red Hat Enterprise 5.4, and I can't find any place where an ident server is actually running on this host. How is it working for local connections, and what might I be able to do to get it to work for localhost TCP connections. Thanks, Peter
Zitat von Peter Koczan <pjkoczan@gmail.com>: > Hi all, > > I'm having some trouble configuring ident authentication for TCP > connections. I can get it to work fine for local connections, but I > can't > > Local connection: > > $ psql postgres > ... > postgres=> > > Server Log: > Dec 9 11:06:59 mitchell postgres[27482]: [4-1] LOG: connection > received: host=[local] > Dec 9 11:06:59 mitchell postgres[27482]: [5-1] LOG: connection > authorized: user=koczan database=postgres > Dec 9 11:07:03 mitchell postgres[27482]: [6-1] LOG: disconnection: > session time: 0:00:04.370 user=koczan database=postgres host=[local] > > Remote connection to localhost: > $ psql -h localhost postgres > psql: FATAL: no pg_hba.conf entry for host "127.0.0.1", user > "koczan", database "postgres", SSL off > > Server log: > Dec 9 11:07:06 mitchell postgres[27494]: [4-1] LOG: connection > received: host=localhost port=41434 > Dec 9 11:07:06 mitchell postgres[27494]: [5-1] LOG: could not > connect to Ident server at address "127.0.0.1", port 113: Connection > refused This looks like you have no ident server running... > Dec 9 11:07:06 mitchell postgres[27494]: [6-1] FATAL: Ident > authentication failed for user "koczan" > Dec 9 11:07:06 mitchell postgres[27495]: [4-1] LOG: connection > received: host=localhost port=41435 > Dec 9 11:07:06 mitchell postgres[27495]: [5-1] FATAL: no pg_hba.conf > entry for host "127.0.0.1", user "koczan", database "postgres", SSL > off > > My pg_hba.conf file looks like this: > # TYPE DATABASE USER CIDR-ADDRESS METHOD > > local all koczan ident sameuser > hostssl all koczan 127.0.0.1/32 ident sameuser > > I'm running Red Hat Enterprise 5.4, and I can't find any place where > an ident server is actually running on this host. I guess you must install it first in recent distros, as there is not much use of ident anymore. So you have to search the packages for your OS. Regards Andreas
Вложения
On Wed, Dec 9, 2009 at 1:25 PM, <lst_hoe02@kwsoft.de> wrote: > This looks like you have no ident server running... > > I guess you must install it first in recent distros, as there is not much > use of ident anymore. So you have to search the packages for your OS. I found the packages. I'm still confused why local ident authentication works even without a running ident server, though. Does anyone know why that is? Thanks, Peter
On Wed, 2009-12-09 at 15:18 -0600, Peter Koczan wrote: > On Wed, Dec 9, 2009 at 1:25 PM, <lst_hoe02@kwsoft.de> wrote: > > This looks like you have no ident server running... > > > > I guess you must install it first in recent distros, as there is not much > > use of ident anymore. So you have to search the packages for your OS. > > I found the packages. I'm still confused why local ident > authentication works even without a running ident server, though. Does > anyone know why that is? Does "local" really use ident? I always assumed local-ident was just aliased to an NSS call. Seriously, ident is dead, obsolete, and insecure tech. You are best just not using it.
Peter Koczan написа: > On Wed, Dec 9, 2009 at 1:25 PM, <lst_hoe02@kwsoft.de> wrote: >> This looks like you have no ident server running... >> >> I guess you must install it first in recent distros, as there is not much >> use of ident anymore. So you have to search the packages for your OS. > > I found the packages. I'm still confused why local ident > authentication works even without a running ident server, though. Does > anyone know why that is? If by "local ident" you mean "when connecting thru unix-domain sockets" then read here: http://www.postgresql.org/docs/current/static/auth-methods.html#AEN28519 -- Milen A. Radev
On Wed, Dec 9, 2009 at 3:29 PM, Adam Tauno Williams <awilliam@opengroupware.us> wrote: > On Wed, 2009-12-09 at 15:18 -0600, Peter Koczan wrote: >> I found the packages. I'm still confused why local ident >> authentication works even without a running ident server, though. Does >> anyone know why that is? > > Does "local" really use ident? I always assumed local-ident was just > aliased to an NSS call. > > Seriously, ident is dead, obsolete, and insecure tech. You are best > just not using it. I was just considering it as one possibility for a limited purpose, and after reading up I'm going to try something else. > If by "local ident" you mean "when connecting thru unix-domain sockets" then > read here: > > http://www.postgresql.org/docs/current/static/auth-methods.html#AEN28519 Yep, that's what I meant. Thanks for the info. Thanks again, Peter