Обсуждение: ident auth postgres 7.4 fedora core 3
Hey Folks ->
So I just upgraded my RH 9 box to Fedora Core 3 and ident auth
stopped working. I've been thru the ident authorization process
before and have become pretty conversant w/ it, but this issue is
really strange. It seems that ident auth is only failing w/ JDBC
connections.
postgres version: postgresql-7.4.7-3.FC3.1
(includes JDBC driver jar pg74.215.jdbc3.jar)
I have the relevant line in my pg_hba.conf file:
host all all 127.0.0.1 0.0.0.0 ident sameuser
I have a user 'tod' created in postgres and I can connect using the
following command issued as (unix) user tod:
[tod@pedro ~]$ psql -h localhost -U tod cbfsrtsDev
which connects using tcp sockets and should thus exercise the above
line in the pg_hba.conf file. (I have verified this by changing host
auth to 'password' and verifying that psql asks me for a password
before letting me in.) Yes, I realize the "-U tod" is redundant.
The command works the same with or without it.
Anyway, I am using this java program for a test (which I found in a
previous thread on this list):
----------- Begin include
import java.sql.*;
import java.io.*;
public class JdbcTest {
public static void main(String[] args) throws Exception {
System.out.println(System.getProperty("user.name"));
Class.forName("org.postgresql.Driver");
String url = "jdbc:postgresql:cbfsrtsDev";
Connection db = DriverManager.getConnection(url, args[0],
args[0]);
db.close();
}
}
----------- End include
As you can see, I'm trying to connect to the same table 'cbfsrtsDev'
with the username and password set to the same thing. When I run
this, I receive:
[tod@pedro ~]$ java JdbcTest tod
----------- Begin include
tod
Exception in thread "main" org.postgresql.util.PSQLException: A
connection error has occurred: org.postgresql.util.PSQLE
xception: FATAL: IDENT authentication failed for user "tod"
at
org.postgresql.jdbc1.AbstractJdbc1Connection.openConnectionV3(AbstractJdbc1Connection.java:337)
at
org.postgresql.jdbc1.AbstractJdbc1Connection.openConnection(AbstractJdbc1Connection.java:214)
at org.postgresql.Driver.connect(Driver.java:139)
at
java.sql.DriverManager.getConnection(DriverManager.java:512)
at
java.sql.DriverManager.getConnection(DriverManager.java:171)
at JdbcTest.main(JdbcTest.java:12)
----------- End include
So, my question is this: how can I use ident auth to authenticate for
the psql terminal session but have my java program fail? I even
checked to ensure that the java process wasn't set-UIDed (it's not).
I tried the other JDBC drivers, but the results are all the same.
If anyone has any suggestions, I'd love to hear 'em.
thanks,
tod
Todd Gee <toddgee@yahoo.com> writes:
> I have the relevant line in my pg_hba.conf file:
> host all all 127.0.0.1 0.0.0.0 ident sameuser
This may or may not have anything directly to do with your complaint,
but: that all-zeroes mask is almost certainly NOT what you want.
The above line allows anyone on the internet to connect to your
database.
regards, tom lane
Todd Gee wrote:
> So I just upgraded my RH 9 box to Fedora Core 3 and ident auth
> stopped working. I've been thru the ident authorization process
> before and have become pretty conversant w/ it, but this issue is
> really strange. It seems that ident auth is only failing w/ JDBC
> connections.
Since 1.4.2 (I believe), Java uses IPv6 by default. When a connection
is made to an IPv4 address, it actually makes an IPv6 connection to an
"IPv4-mapped address". So when you request a connection to 127.0.0.1,
you actually get a connection to ::ffff:127.0.0.1. PostgreSQL doesn't
know this, however; it asks the ident daemon, "who's connecting from
127.0.0.1?" The daemon answers "nobody".
I got so frustrated looking for an ident daemon that handles this
situation properly, that I decided to write my own. It's coming along,
but it's not functional yet.
In the meantime, the easiest approach is probably to tell Java to use
IPv4. You can do this by setting the java.net.preferIPv4Stack system
property to false. You may find this page helpful:
http://java.sun.com/j2se/1.4.2/docs/guide/net/ipv6_guide/
--
========================================================================
Ian Pilcher i.pilcher@comcast.net
========================================================================
On Monday 07 March 2005 01:28, Todd Gee wrote: > So I just upgraded my RH 9 box to Fedora Core 3 and ident auth > stopped working. Does this thread seem relevant at all? http://archives.postgresql.org/pgsql-jdbc/2004-11/threads.php#00143 The relevant quote seems to be this: | A temporary workaround is to set the java.net.preferIPv4Stack | system property to true.
Ian Pilcher <i.pilcher@comcast.net> writes:
> Since 1.4.2 (I believe), Java uses IPv6 by default. When a connection
> is made to an IPv4 address, it actually makes an IPv6 connection to an
> "IPv4-mapped address". So when you request a connection to 127.0.0.1,
> you actually get a connection to ::ffff:127.0.0.1. PostgreSQL doesn't
> know this, however; it asks the ident daemon, "who's connecting from
> 127.0.0.1?" The daemon answers "nobody".
Hmm. I think you have mischaracterized the situation, because the
IDENT protocol doesn't actually mention IP addresses at all --- just
port numbers. It's up to Postgres to connect back to the same IP
address that the connection came from, and AFAIK we do that correctly
for IPv6 addresses.
This report could indicate a bug in our handling of the case, or it
could indicate a configuration error on the part of the OP, or it could
be that his ident daemon isn't handling the case correctly. There's
not enough info to tell. It would be useful to see the postmaster log
output when the connection is rejected.
regards, tom lane
Vadim Nasardinov <vadimn@redhat.com> writes: > Does this thread seem relevant at all? > http://archives.postgresql.org/pgsql-jdbc/2004-11/threads.php#00143 Hmm, the referenced bugzilla entry: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139956 seems to say that all you need to do is start authd with --mapped=::ffff:0.0.0.0 Apparently that answer didn't satisfy Ian, though, so I'm curious what's wrong with it. regards, tom lane
On Monday 07 March 2005 10:33, Ian Pilcher wrote: > In the meantime, the easiest approach is probably to tell Java to use > IPv4. You can do this by setting the java.net.preferIPv4Stack system > property to false. You may find this page helpful: > > http://java.sun.com/j2se/1.4.2/docs/guide/net/ipv6_guide/ If you prefer bigger hammers, you can disable IPv6 entirely. You used to be able to do this by running the following command as root: $ echo "alias net-pf-10 off" >> /etc/modprobe.conf
Ian Pilcher <i.pilcher@comcast.net> writes:
> Since 1.4.2 (I believe), Java uses IPv6 by default. When a connection
> is made to an IPv4 address, it actually makes an IPv6 connection to an
> "IPv4-mapped address". So when you request a connection to 127.0.0.1,
> you actually get a connection to ::ffff:127.0.0.1. PostgreSQL doesn't
> know this, however; it asks the ident daemon, "who's connecting from
> 127.0.0.1?" The daemon answers "nobody".
I traced through this on my own Fedora Core 3 box (kernel
2.6.10-1.766_FC3), and found that when I do
psql -l -h ::ffff:127.0.0.1
the remote address given to Postgres by accept() is actually 127.0.0.1
not ::ffff:127.0.0.1. So the kernel itself is doing the conversion at
some level. On the psql side, the addresses are in fact shown as
::ffff:127.0.0.1, so the dirty work is being done in the kernel, it's
not that glibc downconverted the address to IPv4 in psql userland before
making the connection request. In fact, "lsof" shows the connection as
being IPv6 on the psql side and IPv4 on the postmaster side!
Arguably this is a bug, or at least a bad idea, but there's probably not
going to be much interest in changing the kernel behavior in the near
future. They'll say it would break many more things than it fixes
because of the many non-IPv6-aware programs out there. And I suppose
they'd be right.
If you can't get any results from telling authd to map the addresses,
you might try connecting to "::1" instead of "::ffff:127.0.0.1".
regards, tom lane
Tom Lane wrote: > Ian Pilcher <i.pilcher@comcast.net> writes: > >>Since 1.4.2 (I believe), Java uses IPv6 by default. When a connection >>is made to an IPv4 address, it actually makes an IPv6 connection to an >>"IPv4-mapped address". So when you request a connection to 127.0.0.1, >>you actually get a connection to ::ffff:127.0.0.1. PostgreSQL doesn't >>know this, however; it asks the ident daemon, "who's connecting from >>127.0.0.1?" The daemon answers "nobody". > > > Hmm. I think you have mischaracterized the situation, because the > IDENT protocol doesn't actually mention IP addresses at all --- just > port numbers. It's up to Postgres to connect back to the same IP > address that the connection came from, and AFAIK we do that correctly > for IPv6 addresses. You're right. I believe that what happens is that PostgreSQL, seeing a client connection from 127.0.0.1, uses an IPv4 socket to connect to the ident daemon. The daemon sees a request from 127.0.0.1, so it goes looking for an IPv4 connection (in /proc/net/tcp); it doesn't find it, because the socket is actually listed in /proc/net/tcp6 (with a local address of ::ffff:127.0.0.1). > This report could indicate a bug in our handling of the case, or it > could indicate a configuration error on the part of the OP, or it could > be that his ident daemon isn't handling the case correctly. There's > not enough info to tell. It would be useful to see the postmaster log > output when the connection is rejected. Perhaps there's a bug in PostgreSQL's handling of IPv4-mapped sockets, or perhaps Linux reports it to PostgreSQL as an IPv4 socket ... or perhaps Red Hat is disabling PostgreSQL's IPv6 support in their RPMs. -- ======================================================================== Ian Pilcher i.pilcher@comcast.net ========================================================================
Ian Pilcher <i.pilcher@comcast.net> writes:
> Perhaps there's a bug in PostgreSQL's handling of IPv4-mapped sockets,
> or perhaps Linux reports it to PostgreSQL as an IPv4 socket ... or
> perhaps Red Hat is disabling PostgreSQL's IPv6 support in their RPMs.
Door number 2 seems to be the correct answer; see my followup just now.
(It's definitely not #3 ... I know, I build those RPMs.)
regards, tom lane
Tom Lane wrote: > Hmm, the referenced bugzilla entry: > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=139956 > seems to say that all you need to do is start authd with > --mapped=::ffff:0.0.0.0 > > Apparently that answer didn't satisfy Ian, though, so I'm curious what's > wrong with it. I couldn't get it to work. Other than that, it's great. -- ======================================================================== Ian Pilcher i.pilcher@comcast.net ========================================================================
Ian Pilcher wrote: > In the meantime, the easiest approach is probably to tell Java to use > IPv4. You can do this by setting the java.net.preferIPv4Stack system > property to false. You may find this page helpful: > > http://java.sun.com/j2se/1.4.2/docs/guide/net/ipv6_guide/ > I meant set java.net.preferIPv4Stack to TRUE. Good lord! -- ======================================================================== Ian Pilcher i.pilcher@comcast.net ========================================================================