Обсуждение: ident authentication over tcp

Поиск
Список
Период
Сортировка

ident authentication over tcp

От
Peter Koczan
Дата:
Hi all,

I'm having some trouble configuring ident authentication for TCP
connections. I can get it to work fine for local connections, but I
can't

Local connection:

$ psql postgres
...
postgres=>

Server Log:
Dec  9 11:06:59 mitchell postgres[27482]: [4-1] LOG:  connection
received: host=[local]
Dec  9 11:06:59 mitchell postgres[27482]: [5-1] LOG:  connection
authorized: user=koczan database=postgres
Dec  9 11:07:03 mitchell postgres[27482]: [6-1] LOG:  disconnection:
session time: 0:00:04.370 user=koczan database=postgres host=[local]

Remote connection to localhost:
$ psql -h localhost postgres
psql: FATAL:  no pg_hba.conf entry for host "127.0.0.1", user
"koczan", database "postgres", SSL off

Server log:
Dec  9 11:07:06 mitchell postgres[27494]: [4-1] LOG:  connection
received: host=localhost port=41434
Dec  9 11:07:06 mitchell postgres[27494]: [5-1] LOG:  could not
connect to Ident server at address "127.0.0.1", port 113: Connection
refused
Dec  9 11:07:06 mitchell postgres[27494]: [6-1] FATAL:  Ident
authentication failed for user "koczan"
Dec  9 11:07:06 mitchell postgres[27495]: [4-1] LOG:  connection
received: host=localhost port=41435
Dec  9 11:07:06 mitchell postgres[27495]: [5-1] FATAL:  no pg_hba.conf
entry for host "127.0.0.1", user "koczan", database "postgres", SSL
off

My pg_hba.conf file looks like this:
# TYPE  DATABASE    USER        CIDR-ADDRESS       METHOD

local   all         koczan      ident sameuser
hostssl all         koczan      127.0.0.1/32       ident sameuser

I'm running Red Hat Enterprise 5.4, and I can't find any place where
an ident server is actually running on this host.

How is it working for local connections, and what might I be able to
do to get it to work for localhost TCP connections.

Thanks,
Peter

Re: ident authentication over tcp

От
lst_hoe02@kwsoft.de
Дата:
Zitat von Peter Koczan <pjkoczan@gmail.com>:

> Hi all,
>
> I'm having some trouble configuring ident authentication for TCP
> connections. I can get it to work fine for local connections, but I
> can't
>
> Local connection:
>
> $ psql postgres
> ...
> postgres=>
>
> Server Log:
> Dec  9 11:06:59 mitchell postgres[27482]: [4-1] LOG:  connection
> received: host=[local]
> Dec  9 11:06:59 mitchell postgres[27482]: [5-1] LOG:  connection
> authorized: user=koczan database=postgres
> Dec  9 11:07:03 mitchell postgres[27482]: [6-1] LOG:  disconnection:
> session time: 0:00:04.370 user=koczan database=postgres host=[local]
>
> Remote connection to localhost:
> $ psql -h localhost postgres
> psql: FATAL:  no pg_hba.conf entry for host "127.0.0.1", user
> "koczan", database "postgres", SSL off
>
> Server log:
> Dec  9 11:07:06 mitchell postgres[27494]: [4-1] LOG:  connection
> received: host=localhost port=41434
> Dec  9 11:07:06 mitchell postgres[27494]: [5-1] LOG:  could not
> connect to Ident server at address "127.0.0.1", port 113: Connection
> refused

This looks like you have no ident server running...

> Dec  9 11:07:06 mitchell postgres[27494]: [6-1] FATAL:  Ident
> authentication failed for user "koczan"
> Dec  9 11:07:06 mitchell postgres[27495]: [4-1] LOG:  connection
> received: host=localhost port=41435
> Dec  9 11:07:06 mitchell postgres[27495]: [5-1] FATAL:  no pg_hba.conf
> entry for host "127.0.0.1", user "koczan", database "postgres", SSL
> off
>
> My pg_hba.conf file looks like this:
> # TYPE  DATABASE    USER        CIDR-ADDRESS       METHOD
>
> local   all         koczan      ident sameuser
> hostssl all         koczan      127.0.0.1/32       ident sameuser
>
> I'm running Red Hat Enterprise 5.4, and I can't find any place where
> an ident server is actually running on this host.

I guess you must install it first in recent distros, as there is not
much use of ident anymore. So you have to search the packages for your
OS.

Regards

Andreas


Вложения

Re: ident authentication over tcp

От
Peter Koczan
Дата:
On Wed, Dec 9, 2009 at 1:25 PM,  <lst_hoe02@kwsoft.de> wrote:
> This looks like you have no ident server running...
>
> I guess you must install it first in recent distros, as there is not much
> use of ident anymore. So you have to search the packages for your OS.

I found the packages. I'm still confused why local ident
authentication works even without a running ident server, though. Does
anyone know why that is?

Thanks,
Peter

Re: ident authentication over tcp

От
Adam Tauno Williams
Дата:
On Wed, 2009-12-09 at 15:18 -0600, Peter Koczan wrote:
> On Wed, Dec 9, 2009 at 1:25 PM,  <lst_hoe02@kwsoft.de> wrote:
> > This looks like you have no ident server running...
> >
> > I guess you must install it first in recent distros, as there is not much
> > use of ident anymore. So you have to search the packages for your OS.
>
> I found the packages. I'm still confused why local ident
> authentication works even without a running ident server, though. Does
> anyone know why that is?

Does "local" really use ident?  I always assumed local-ident was just
aliased to an NSS call.

Seriously, ident is dead, obsolete, and insecure tech.  You are best
just not using it.


Re: ident authentication over tcp

От
"Milen A. Radev"
Дата:
Peter Koczan написа:
> On Wed, Dec 9, 2009 at 1:25 PM,  <lst_hoe02@kwsoft.de> wrote:
>> This looks like you have no ident server running...
>>
>> I guess you must install it first in recent distros, as there is not much
>> use of ident anymore. So you have to search the packages for your OS.
>
> I found the packages. I'm still confused why local ident
> authentication works even without a running ident server, though. Does
> anyone know why that is?

If by "local ident" you mean "when connecting thru unix-domain
sockets" then read here:

http://www.postgresql.org/docs/current/static/auth-methods.html#AEN28519


--
Milen A. Radev

Re: ident authentication over tcp

От
Peter Koczan
Дата:
On Wed, Dec 9, 2009 at 3:29 PM, Adam Tauno Williams
<awilliam@opengroupware.us> wrote:
> On Wed, 2009-12-09 at 15:18 -0600, Peter Koczan wrote:
>> I found the packages. I'm still confused why local ident
>> authentication works even without a running ident server, though. Does
>> anyone know why that is?
>
> Does "local" really use ident?  I always assumed local-ident was just
> aliased to an NSS call.
>
> Seriously, ident is dead, obsolete, and insecure tech.  You are best
> just not using it.

I was just considering it as one possibility for a limited purpose,
and after reading up I'm going to try something else.

> If by "local ident" you mean "when connecting thru unix-domain sockets" then
> read here:
>
> http://www.postgresql.org/docs/current/static/auth-methods.html#AEN28519

Yep, that's what I meant. Thanks for the info.

Thanks again,
Peter