[GENERAL] pg_hba.conf debugging or logging when using ldag to authenticate

[Poul Kristensen]

Hi !

Does anyone know how to log or debug authentication against ad?
A few years ago is it was possible to log everything to confirm using the
right KDC and the right principal and hereby be sure to send the right
userid possible concatenated with the realm.(I can't remember exacty) As
far as I can see this is not possible anymore. When using ldapsearch
everything works fine.But the ldap authentication does not help much as the
pg_log is just responting thd failure of credentials. Changing password
using Kerberos works fine(does this use the keytab or is the KDC issuing a
new ticket).
The documented examples is used using cn=gssapi, cn=auth
Is it possible to use cached ticket in the keytab option in postgresql.conf
when enabling the use of gssapi.
Sorry for a lot of questions but I thing there is a lack logs/debugging
facilities now. 4-5  years ago it was no problem.

Thanks

Poul

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[Francisco Olarte]

Hi Arnaud:

On Thu, Aug 25, 2016 at 4:35 PM, arnaud gaboury
 wrote:
>> Are this all the contents of you pg_hba.conf? Note order matters, all
>> non comment ( or at least the host ones ) need to be checked .
> Here is the whole content:
>  79 local   thetradinghall  mailman peer
> map=mailmap
>  80 local   all postgrestrust
>  84 host mattermost mmuser  127.0.0.1/24md5

.. This looks good once you've added the netmask, ehich slipped to me.

>> Also, did you signal the postmaster to reread after adding the line?
> What do you mean?

When you change the file you need to signal the postgres main process
( postmaster ) to reread it by sending it a HUP signal, or using
pg_ctl reload ( your OS/distro may have other methods ).

Francisco Olarte.


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[Francisco Olarte]

On Thu, Aug 25, 2016 at 4:28 PM, arnaud gaboury
 wrote:
> On Thu, Aug 25, 2016 at 4:26 PM, Ilya Kazakevich
>  wrote:
>>>I entered this line in pg_hab.conf:
>> Are you sure your file name is correct and it is really used by postgres?
> I think so as another service (Postfix) is running and working.

It has nothing to do with it, except if postfix is using postgres.

> How can I verify ?

If you used hab, it is wrong, if you used hba, consult the docs for
your version & os and check.

Francisco Olarte.


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[arnaud gaboury]

On Thu, Aug 25, 2016 at 5:50 PM, Francisco Olarte
 wrote:
> Hi Arnaud:
>
> On Thu, Aug 25, 2016 at 4:35 PM, arnaud gaboury
>  wrote:
>>> Are this all the contents of you pg_hba.conf? Note order matters, all
>>> non comment ( or at least the host ones ) need to be checked .
>> Here is the whole content:
>>  79 local   thetradinghall  mailman peer
>> map=mailmap
>>  80 local   all postgrestrust
>>  84 host mattermost mmuser  127.0.0.1/24md5
>
> .. This looks good once you've added the netmask, ehich slipped to me.
>
>>> Also, did you signal the postmaster to reread after adding the line?
>> What do you mean?
>
> When you change the file you need to signal the postgres main process
> ( postmaster ) to reread it by sending it a HUP signal, or using
> pg_ctl reload ( your OS/distro may have other methods ).

In fact, I use systemctl to stop/start/reload postgres service. And
yes I did a reload.



>
> Francisco Olarte.



-- 

google.com/+arnaudgabourygabx


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[arnaud gaboury]

On Thu, Aug 25, 2016 at 5:43 PM, Francisco Olarte
 wrote:
> On Thu, Aug 25, 2016 at 4:28 PM, arnaud gaboury
>  wrote:
>> On Thu, Aug 25, 2016 at 4:26 PM, Ilya Kazakevich
>>  wrote:
I entered this line in pg_hab.conf:
>>> Are you sure your file name is correct and it is really used by postgres?
>> I think so as another service (Postfix) is running and working.
>
> It has nothing to do with it, except if postfix is using postgres.
YEs is has to do as postfix use postgress. So as postfix is working
well, I can suspect postgres is reading correctly pg_hba.conf.
>
>> How can I verify ?
>
> If you used hab, it is wrong,
I said it was a typo

if you used hba, consult the docs for
> your version & os and check.

Thank you for the tip.

Btw, if you have read the whole thread you would know my issue is solved
>
> Francisco Olarte.



-- 

google.com/+arnaudgabourygabx


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[arnaud gaboury]

On Thu, Aug 25, 2016 at 5:26 PM, Joshua D. Drake  wrote:
> On 08/25/2016 07:44 AM, arnaud gaboury wrote:
>>
>> On Thu, Aug 25, 2016 at 4:38 PM, Joshua D. Drake 
>> wrote:
>
>
>>> Did you reload PostgreSQL? That is how you tell PostgreSQL to reread the
>>> pg_hba.conf.
>>>
>>> FTR: I have deployed Mattermost and it works wonderfully.
>>
>>
>> The issue is solved (see my replies). By any chance, did you deploy on
>> Fedora? There is no official package and I must build my own .rpm.
>
>
> No. I only run LTS releases.
>
On which platform please? If Fedora or Red Hat, which .rpm ?
Thank you

google.com/+arnaudgabourygabx


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[Joshua D. Drake]

On 08/25/2016 07:44 AM, arnaud gaboury wrote:

On Thu, Aug 25, 2016 at 4:38 PM, Joshua D. Drake  wrote:



Did you reload PostgreSQL? That is how you tell PostgreSQL to reread the
pg_hba.conf.

FTR: I have deployed Mattermost and it works wonderfully.


The issue is solved (see my replies). By any chance, did you deploy on
Fedora? There is no official package and I must build my own .rpm.


No. I only run LTS releases.

Sincerely,

jD






JD



--
Command Prompt, Inc.  http://the.postgres.company/
+1-503-667-4564
PostgreSQL Centered full stack support, consulting and development.
Everyone appreciates your honesty, until you are honest with them.







--
Command Prompt, Inc.  http://the.postgres.company/
+1-503-667-4564
PostgreSQL Centered full stack support, consulting and development.
Everyone appreciates your honesty, until you are honest with them.
Unless otherwise stated, opinions are my own.


--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[Ilya Kazakevich]

% psql --host=127.0.0.1/32 --dbname=mattermost --username=mmuser

  
psql: could not translate host name "127.0.0.1/32" to address: Name or service 
not known
% psql --host=127.0.0.1/24 --dbname=mattermost --username=mmuser

psql: could not translate host name "127.0.0.1/24" to address: Name or service 
not known


[I.K >> ] “127.0.0.1/32” is network that includes only “127.0.0.1” while 
“127.0.0.1” is address. 

You specify network in .conf file and use address as argument to psql

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[arnaud gaboury]

On Thu, Aug 25, 2016 at 4:27 PM, Melvin Davidson 
wrote:

>
>
> On Thu, Aug 25, 2016 at 10:18 AM, arnaud gaboury  > wrote:
>
>> I am deploying mattermost on my machine following their documentation[0].
>>
>> My machine network settings:
>> --
>> $ ip a
>> 1: lo:  mtu 65536 qdisc noqueue state UNKNOWN
>> group default qlen 1
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>> inet 127.0.0.1/8 scope host lo
>>valid_lft forever preferred_lft forever
>> inet6 ::1/128 scope host
>>valid_lft forever preferred_lft forever
>> 2: host0@if4:  mtu 1500 qdisc noqueue
>> state UP group default qlen 1000
>> link/ether 0e:7f:c3:fb:25:b1 brd ff:ff:ff:ff:ff:ff link-netnsid 0
>> inet 192.168.1.94/24 brd 192.168.1.255 scope global host0
>>valid_lft forever preferred_lft forever
>> inet6 fe80::c7f:c3ff:fefb:25b1/64 scope link
>>valid_lft forever preferred_lft forever
>> 
>>
>> There is a public IP with a domain name (http works OK).
>>
>> I entered this line in pg_hab.conf:
>> --
>>  host mattermost mmuser  127.0.0.1   md5
>> 
>>
>> Now when testing:
>> --
>> % psql --host=127.0.0.1 --dbname=mattermost --username=mmuser --password
>> Password for user mmuser:
>> psql: FATAL:  no pg_hba.conf entry for host "127.0.0.1", user
>> "mmuser", database "mattermost", SSL off
>> 
>>
>> What am I doing wrong?
>>
>> Thank you for help
>>
>>
>> [0]https://docs.mattermost.com/install/prod-rhel-7.html
>> --
>>
>>
>>
>
> You need to change your entry from this
>  host mattermost mmuser  127.0.0.1   md5
>
> to this
>  host mattermost mmuser  127.0.0.1*/32*   md5
> or this
>  host mattermost mmuser  127.0.0.1*/24*   md5
>

The returned message is fifferent but it doesn't work too. Se  below

% psql --host=127.0.0.1/32 --dbname=mattermost
--username=mmuser

psql: could not translate host name "127.0.0.1/32" to address: Name or
service not known
% psql --host=127.0.0.1/24 --dbname=mattermost
--username=mmuser

psql: could not translate host name "127.0.0.1/24" to address: Name or
service not known




-- 
> *Melvin Davidson*
> I reserve the right to fantasize.  Whether or not you
> wish to share my fantasy is entirely up to you.
>



-- 

google.com/+arnaudgabourygabx

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[Joshua D. Drake]

On 08/25/2016 07:18 AM, arnaud gaboury wrote:

I am deploying mattermost on my machine following their documentation[0].



There is a public IP with a domain name (http works OK).

I entered this line in pg_hab.conf:


I assume you mean pg_hba.conf


--
 host mattermost mmuser  127.0.0.1   md5




Make sure that is the *only* line referencing 127.0.0.1.



Now when testing:
--
% psql --host=127.0.0.1 --dbname=mattermost --username=mmuser --password
Password for user mmuser:
psql: FATAL:  no pg_hba.conf entry for host "127.0.0.1", user
"mmuser", database "mattermost", SSL off



Did you reload PostgreSQL? That is how you tell PostgreSQL to reread the 
pg_hba.conf.


FTR: I have deployed Mattermost and it works wonderfully.

JD



--
Command Prompt, Inc.  http://the.postgres.company/
+1-503-667-4564
PostgreSQL Centered full stack support, consulting and development.
Everyone appreciates your honesty, until you are honest with them.


--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[arnaud gaboury]

On Thu, Aug 25, 2016 at 4:38 PM, Joshua D. Drake  wrote:
> On 08/25/2016 07:18 AM, arnaud gaboury wrote:
>>
>> I am deploying mattermost on my machine following their documentation[0].
>
>
>> There is a public IP with a domain name (http works OK).
>>
>> I entered this line in pg_hab.conf:
>
>
> I assume you mean pg_hba.conf
>
>> --
>>  host mattermost mmuser  127.0.0.1   md5
>> 
>>
>
> Make sure that is the *only* line referencing 127.0.0.1.
>
>
>> Now when testing:
>> --
>> % psql --host=127.0.0.1 --dbname=mattermost --username=mmuser --password
>> Password for user mmuser:
>> psql: FATAL:  no pg_hba.conf entry for host "127.0.0.1", user
>> "mmuser", database "mattermost", SSL off
>> 
>
>
> Did you reload PostgreSQL? That is how you tell PostgreSQL to reread the
> pg_hba.conf.
>
> FTR: I have deployed Mattermost and it works wonderfully.

The issue is solved (see my replies). By any chance, did you deploy on
Fedora? There is no official package and I must build my own .rpm.


>
> JD
>
>
>
> --
> Command Prompt, Inc.  http://the.postgres.company/
> +1-503-667-4564
> PostgreSQL Centered full stack support, consulting and development.
> Everyone appreciates your honesty, until you are honest with them.



-- 

google.com/+arnaudgabourygabx


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[arnaud gaboury]

On Thu, Aug 25, 2016 at 4:37 PM, Ilya Kazakevich
 wrote:
>
> % psql --host=127.0.0.1/32 --dbname=mattermost --username=mmuser
> psql: could not translate host name "127.0.0.1/32" to address: Name or
> service not known
> % psql --host=127.0.0.1/24 --dbname=mattermost --username=mmuser
> psql: could not translate host name "127.0.0.1/24" to address: Name or
> service not known
>
>
> [I.K >> ] “127.0.0.1/32” is network that includes only “127.0.0.1” while
> “127.0.0.1” is address.
>
> You specify network in .conf file and use address as argument to psql

Thanks a lot sir. My knowledge in TCP-IP is definitively too light.
--
% psql --host=127.0.0.1 --dbname=mattermost --username=mmuser
Password for user mmuser:
psql (9.5.3)
Type "help" for help.

mattermost=>

---

-- 

google.com/+arnaudgabourygabx


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[arnaud gaboury]

On Thu, Aug 25, 2016 at 4:29 PM, Francisco Olarte
 wrote:
> Hi Arnaud:
> On Thu, Aug 25, 2016 at 4:18 PM, arnaud gaboury
>  wrote:
>> There is a public IP with a domain name (http works OK).
> Nice to know, but does not matter if all you use is 127.0.0.1
>
>
>> I entered this line in pg_hab.conf:
>
> Have you checked the filename? you are saying HAB, but it is HBA (
> Host Based Auth ) . May be a typo,

Yes it is.

but better safe then sorry. And
> have you checked it is stored in the right place?
>
>
>> --
>>  host mattermost mmuser  127.0.0.1   md5
>> 
>
> Are this all the contents of you pg_hba.conf? Note order matters, all
> non comment ( or at least the host ones ) need to be checked .

Here is the whole content:
-
 75
 76 # TYPE  DATABASEUSERADDRESSMETHODOPTION
 77
 78 # "local" is for Unix domain socket connections only
 79 local   thetradinghall  mailman peer
map=mailmap
 80 local   all postgrestrust
 81 #---#
 82
 83 # IPv4 local connections:
 84 host mattermost mmuser  127.0.0.1/24md5
 85 # IPv6 local connections:
 86
 87
 88 ##
 89

>
>
> Also, did you signal the postmaster to reread after adding the line?

What do you mean?
>
> Francisco Olarte.



-- 

google.com/+arnaudgabourygabx


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[arnaud gaboury]

On Thu, Aug 25, 2016 at 4:32 PM, Tom Lane  wrote:
> arnaud gaboury  writes:
>> I entered this line in pg_hab.conf:
>> --
>>  host mattermost mmuser  127.0.0.1   md5
>
>> What am I doing wrong?
>
> Looking in the postmaster log for complaints about pg_hba.conf
> would probably have helped you diagnose this.  But I think the
> problem is that you're required to specify a netmask or masklen;
> so "127.0.0.1/32" not just "127.0.0.1".

See previous answers, it doesn't work either
>
> regards, tom lane



-- 

google.com/+arnaudgabourygabx


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[Melvin Davidson]

On Thu, Aug 25, 2016 at 10:28 AM, arnaud gaboury 
wrote:

> On Thu, Aug 25, 2016 at 4:26 PM, Ilya Kazakevich
>  wrote:
> >>I entered this line in pg_hab.conf:
> > Are you sure your file name is correct and it is really used by postgres?
>
> I think so as another service (Postfix) is running and working.
>
> How can I verify ?
> >
> >
> > Ilya Kazakevich
> >
> > JetBrains
> > http://www.jetbrains.com
> > The Drive to Develop
> >
>
>
>
> --
>
> google.com/+arnaudgabourygabx
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>

per my previous reply, please review the information for correct address
entry at
https://www.postgresql.org/docs/9.4/static/auth-pg-hba-conf.html

Also, please note that although it does not apply in this case, it is
always helpful to provide O/S and PostgreSQL version when addressing this
mail list.

-- 
*Melvin Davidson*
I reserve the right to fantasize.  Whether or not you
wish to share my fantasy is entirely up to you.

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[Ilya Kazakevich]

>How can I verify ?
Can you connect as postgres (superuser)?
If yes, connect and type "show hba_file;"
If no, try adding "local all postgres peer" or even "local all postgres trust" 
to this file and restart postgres. Check again.




-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[Tom Lane]

arnaud gaboury  writes:
> I entered this line in pg_hab.conf:
> --
>  host mattermost mmuser  127.0.0.1   md5

> What am I doing wrong?

Looking in the postmaster log for complaints about pg_hba.conf
would probably have helped you diagnose this.  But I think the
problem is that you're required to specify a netmask or masklen;
so "127.0.0.1/32" not just "127.0.0.1".

regards, tom lane


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[Francisco Olarte]

Hi Arnaud:
On Thu, Aug 25, 2016 at 4:18 PM, arnaud gaboury
 wrote:
> There is a public IP with a domain name (http works OK).
Nice to know, but does not matter if all you use is 127.0.0.1


> I entered this line in pg_hab.conf:

Have you checked the filename? you are saying HAB, but it is HBA (
Host Based Auth ) . May be a typo, but better safe then sorry. And
have you checked it is stored in the right place?


> --
>  host mattermost mmuser  127.0.0.1   md5
> 

Are this all the contents of you pg_hba.conf? Note order matters, all
non comment ( or at least the host ones ) need to be checked .


Also, did you signal the postmaster to reread after adding the line?

Francisco Olarte.


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[Melvin Davidson]

On Thu, Aug 25, 2016 at 10:18 AM, arnaud gaboury 
wrote:

> I am deploying mattermost on my machine following their documentation[0].
>
> My machine network settings:
> --
> $ ip a
> 1: lo:  mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
>valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
>valid_lft forever preferred_lft forever
> 2: host0@if4:  mtu 1500 qdisc noqueue
> state UP group default qlen 1000
> link/ether 0e:7f:c3:fb:25:b1 brd ff:ff:ff:ff:ff:ff link-netnsid 0
> inet 192.168.1.94/24 brd 192.168.1.255 scope global host0
>valid_lft forever preferred_lft forever
> inet6 fe80::c7f:c3ff:fefb:25b1/64 scope link
>valid_lft forever preferred_lft forever
> 
>
> There is a public IP with a domain name (http works OK).
>
> I entered this line in pg_hab.conf:
> --
>  host mattermost mmuser  127.0.0.1   md5
> 
>
> Now when testing:
> --
> % psql --host=127.0.0.1 --dbname=mattermost --username=mmuser --password
> Password for user mmuser:
> psql: FATAL:  no pg_hba.conf entry for host "127.0.0.1", user
> "mmuser", database "mattermost", SSL off
> 
>
> What am I doing wrong?
>
> Thank you for help
>
>
>
>
>
>
>
>
> [0]https://docs.mattermost.com/install/prod-rhel-7.html
> --
>
> google.com/+arnaudgabourygabx
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>


You need to change your entry from this
 host mattermost mmuser  127.0.0.1   md5

to this
 host mattermost mmuser  127.0.0.1*/32*   md5
or this
 host mattermost mmuser  127.0.0.1*/24*   md5
-- 
*Melvin Davidson*
I reserve the right to fantasize.  Whether or not you
wish to share my fantasy is entirely up to you.

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[arnaud gaboury]

On Thu, Aug 25, 2016 at 4:26 PM, Ilya Kazakevich
 wrote:
>>I entered this line in pg_hab.conf:
> Are you sure your file name is correct and it is really used by postgres?

I think so as another service (Postfix) is running and working.

How can I verify ?
>
>
> Ilya Kazakevich
>
> JetBrains
> http://www.jetbrains.com
> The Drive to Develop
>



-- 

google.com/+arnaudgabourygabx


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf : bad entry for ADDRESS

[Ilya Kazakevich]

>I entered this line in pg_hab.conf:
Are you sure your file name is correct and it is really used by postgres? 


Ilya Kazakevich

JetBrains
http://www.jetbrains.com
The Drive to Develop



-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

[GENERAL] pg_hba.conf : bad entry for ADDRESS

[arnaud gaboury]

I am deploying mattermost on my machine following their documentation[0].

My machine network settings:
--
$ ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
2: host0@if4:  mtu 1500 qdisc noqueue
state UP group default qlen 1000
link/ether 0e:7f:c3:fb:25:b1 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.1.94/24 brd 192.168.1.255 scope global host0
   valid_lft forever preferred_lft forever
inet6 fe80::c7f:c3ff:fefb:25b1/64 scope link
   valid_lft forever preferred_lft forever


There is a public IP with a domain name (http works OK).

I entered this line in pg_hab.conf:
--
 host mattermost mmuser  127.0.0.1   md5


Now when testing:
--
% psql --host=127.0.0.1 --dbname=mattermost --username=mmuser --password
Password for user mmuser:
psql: FATAL:  no pg_hba.conf entry for host "127.0.0.1", user
"mmuser", database "mattermost", SSL off


What am I doing wrong?

Thank you for help








[0]https://docs.mattermost.com/install/prod-rhel-7.html
-- 

google.com/+arnaudgabourygabx


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] [pg_hba.conf] publish own Python application using PostgreSQL

[John McKown]

On Wed, Jul 8, 2015 at 3:55 AM, Karsten Hilbert 
wrote:

> On Tue, Jul 07, 2015 at 06:57:45AM -0500, John McKown wrote:
>
> > >>> >at a bare minimum, a database administrator needs to create database
> > >>> >roles (users) and databases for an app like yours.
> > >>>
> > >> The admin don't need to create the db. It is done by the application
> > >> (sqlalchemy-utils on Python3) itself.
> > >>
> > >
> > > an application should not have the privileges to do that.   you don't
> run
> > > your apps as 'root', do you?   why would you run them as a database
> > > administrator ?
> >
> >
> > ​Trigger Warning (Thanks, Mallard Fillmore)
> >
> > I agree with you on this. If I were a customer and some vendor said: "Oh
> > yes, to run our product, you must configure your multi-user data base to
> > disable passwords and run it as a DBA so that it can make schema changes
> on
> > the fly", then I'd simply say "no sale". Of course, in regards to the
> > schema, it would be proper to document what the DBA needs to do to set up
> > the data base with the proper tables and other items.
>
> In fact, an app might have an option to emit a script for
> the DBA to run. Or even offer to run it for the DBA given
> proper credentials are provided on the spot.
>

​Yes, that's even better. Documentation to say what to do and why, and a
way to generate a script which the DBA can review, approve, & run is an
excellent way to do this.​



>
> Karsten Hilbert
>
>
-- 

Schrodinger's backup: The condition of any backup is unknown until a
restore is attempted.

Yoda of Borg, we are. Futile, resistance is, yes. Assimilated, you will be.

He's about as useful as a wax frying pan.

10 to the 12th power microphones = 1 Megaphone

Maranatha! <><
John McKown

Re: [GENERAL] [pg_hba.conf] publish own Python application using PostgreSQL

[Karsten Hilbert]

On Tue, Jul 07, 2015 at 06:57:45AM -0500, John McKown wrote:

> >>> >at a bare minimum, a database administrator needs to create database
> >>> >roles (users) and databases for an app like yours.
> >>>
> >> The admin don't need to create the db. It is done by the application
> >> (sqlalchemy-utils on Python3) itself.
> >>
> >
> > an application should not have the privileges to do that.   you don't run
> > your apps as 'root', do you?   why would you run them as a database
> > administrator ?
> 
> 
> ​Trigger Warning (Thanks, Mallard Fillmore)
> 
> I agree with you on this. If I were a customer and some vendor said: "Oh
> yes, to run our product, you must configure your multi-user data base to
> disable passwords and run it as a DBA so that it can make schema changes on
> the fly", then I'd simply say "no sale". Of course, in regards to the
> schema, it would be proper to document what the DBA needs to do to set up
> the data base with the proper tables and other items.

In fact, an app might have an option to emit a script for
the DBA to run. Or even offer to run it for the DBA given
proper credentials are provided on the spot.

Karsten Hilbert
-- 
GPG key ID E4071346 @ eu.pool.sks-keyservers.net
E167 67FD A291 2BEA 73BD  4537 78B9 A9F9 E407 1346


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] [pg_hba.conf] publish own Python application using PostgreSQL

[John McKown]

On Tue, Jul 7, 2015 at 12:10 AM, John R Pierce  wrote:

> On 7/6/2015 9:55 PM, c.bu...@posteo.jp wrote:
>
>> On 2015-07-05 22:16 John R Pierce  wrote:
>>
>>> >at a bare minimum, a database administrator needs to create database
>>> >roles (users) and databases for an app like yours.
>>>
>> The admin don't need to create the db. It is done by the application
>> (sqlalchemy-utils on Python3) itself.
>>
>
> an application should not have the privileges to do that.   you don't run
> your apps as 'root', do you?   why would you run them as a database
> administrator ?


​Trigger Warning (Thanks, Mallard Fillmore)

I agree with you on this. If I were a customer and some vendor said: "Oh
yes, to run our product, you must configure your multi-user data base to
disable passwords and run it as a DBA so that it can make schema changes on
the fly", then I'd simply say "no sale". Of course, in regards to the
schema, it would be proper to document what the DBA needs to do to set up
the data base with the proper tables and other items. WRT to the data base
userid and password, that, IMO, should be some sort of installation
parameter, not "hard coded" into the code itself.

SQLite, which I guess the OP has decided to use, is a much better choice
for _this_ application. IMO, it does not seem to "play well with others".
​


> --
> john r pierce, recycling bits in santa cruz
>
>
-- 

Schrodinger's backup: The condition of any backup is unknown until a
restore is attempted.

Yoda of Borg, we are. Futile, resistance is, yes. Assimilated, you will be.

He's about as useful as a wax frying pan.

10 to the 12th power microphones = 1 Megaphone

Maranatha! <><
John McKown

Re: [GENERAL] [pg_hba.conf] publish own Python application using PostgreSQL

[John R Pierce]

On 7/6/2015 9:55 PM, c.bu...@posteo.jp wrote:

On 2015-07-05 22:16 John R Pierce  wrote:

>at a bare minimum, a database administrator needs to create database
>roles (users) and databases for an app like yours.

The admin don't need to create the db. It is done by the application
(sqlalchemy-utils on Python3) itself.


an application should not have the privileges to do that.   you don't 
run your apps as 'root', do you?   why would you run them as a database 
administrator ?




--
john r pierce, recycling bits in santa cruz



--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] [pg_hba.conf] publish own Python application using PostgreSQL

[c.buhtz]

On 2015-07-05 22:16 John R Pierce  wrote:
> at a bare minimum, a database administrator needs to create database 
> roles (users) and databases for an app like yours.

The admin don't need to create the db. It is done by the application
(sqlalchemy-utils on Python3) itself.

But I see. I will go back to sqlite3.


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] [pg_hba.conf] publish own Python application using PostgreSQL

[Adrian Klaver]

On 07/05/2015 09:43 PM, c.bu...@posteo.jp wrote:

On 2015-07-05 15:13 Jan de Visser  wrote:

You could set up a whole new server with a different $PGDATA on a
different port.


I (and the user) don't want to setup anything - that is the point.


Then what you want is an embedded database, in other words a program 
that you can include inside your application. As others have suggested 
Sqlite is just such program and what is more it is included in the 
Python standard library since 2.5. Postgres is not an embedded database 
and therefore it will by nature exist outside the app. This means either 
you have to create code to anticipate all your users setups and 
configure Postgres accordingly or you will need to include the user in 
the set up process.





What I'm wondering though is what made you decide to use pgsql for
your project? It seems to me that something like sqlite would be
better suited for your requirements.


When I started I wasn't aware of the difference between PostgreSQL and
sqlite. Maybe this is a solution.

But isn't there a way to use PostgreSQL without that setup and
configuration things?





--
Adrian Klaver
adrian.kla...@aklaver.com


--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] [pg_hba.conf] publish own Python application using PostgreSQL

[Mark Morgan Lloyd]

Jan de Visser wrote:

On July 6, 2015 06:43:53 AM c.bu...@posteo.jp wrote:

On 2015-07-05 15:13 Jan de Visser  wrote:

You could set up a whole new server with a different $PGDATA on a
different port.

I (and the user) don't want to setup anything - that is the point.


Well, you don't have to setup anything. You do an initdb in a different 
directory, that will write a .conf file there, which you then massage to 
include a different port. You'll use the same binaries as the standard pgsql 
install, but in a different environment.


I'm not sure that helps, since I think part of the question is what the 
"true Debian way" is to massage the configuration files to include 
appropriate entries.


--
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk

[Opinions above are the author's, not those of his employers or colleagues]


--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] [pg_hba.conf] publish own Python application using PostgreSQL

[Jan de Visser]

On July 6, 2015 06:43:53 AM c.bu...@posteo.jp wrote:
> On 2015-07-05 15:13 Jan de Visser  wrote:
> > You could set up a whole new server with a different $PGDATA on a
> > different port.
> 
> I (and the user) don't want to setup anything - that is the point.

Well, you don't have to setup anything. You do an initdb in a different 
directory, that will write a .conf file there, which you then massage to 
include a different port. You'll use the same binaries as the standard pgsql 
install, but in a different environment.



-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] [pg_hba.conf] publish own Python application using PostgreSQL

[John R Pierce]

On 7/5/2015 9:43 PM, c.bu...@posteo.jp wrote:

But isn't there a way to use PostgreSQL without that setup and
configuration things?


no, not really, as its a generic database server meant to be used by 
multiple applications across a network, with a wide range of 
configuration options, plugins and addons, etc.


at a bare minimum, a database administrator needs to create database 
roles (users) and databases for an app like yours.



--
john r pierce, recycling bits in santa cruz



--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] [pg_hba.conf] publish own Python application using PostgreSQL

[c.buhtz]

On 2015-07-05 15:13 Jan de Visser  wrote:
> You could set up a whole new server with a different $PGDATA on a
> different port.

I (and the user) don't want to setup anything - that is the point.

> What I'm wondering though is what made you decide to use pgsql for
> your project? It seems to me that something like sqlite would be
> better suited for your requirements.

When I started I wasn't aware of the difference between PostgreSQL and
sqlite. Maybe this is a solution.

But isn't there a way to use PostgreSQL without that setup and
configuration things?


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] [pg_hba.conf] publish own Python application using PostgreSQL

[Jan de Visser]

On July 5, 2015 08:58:17 PM c.bu...@posteo.jp wrote:
> On 2015-07-05 15:11 Charles Clavadetscher 
> 
> wrote:
> > I am not really an expert, but from your description I guess that you
> > assume an existing PostgreSQL installation on your customers' server.
> 
> The application is a simple open source using a local PostgreSQL
> database. The customer is just any user out there.
> I guess the PostgreSQL instance itself is in most cases fresh/virgin
> installed without any configuration done by the user.
> 
> > I would not like to install applications that change settings in
> > pg_hba.conf
> 
> I know that this is a bad solution. It is just a workaround for my
> development environment. I just explained that modifications here to
> show how bad my workaround is and how less I know about PostgreSQL.
> 
> I read unspecific things about a "configuration file" for the
> application that make it possible to get access to PostgreSQL without
> having root-access to it. But I don't know details about it.
> What could this be?
> 
> Is it possible for the user to install a PostgreSQL-using application
> (including a fresh install and default-configured PostgreSQL) without
> modifying the PostgreSQL-configuration?

You could set up a whole new server with a different $PGDATA on a different 
port.

What I'm wondering though is what made you decide to use pgsql for your 
project? It seems to me that something like sqlite would be better suited for 
your requirements.



-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] [pg_hba.conf] publish own Python application using PostgreSQL

[John R Pierce]

On 7/5/2015 3:15 AM, c.bu...@posteo.jp wrote:

These are the modification I have to do to make my application run with
the connetion string "postgres://puser@localhost/FoobarTest".

The settings are about
the /etc/postgresql/9.3/main/pg_hba.conf file.
There I change this line
hostall all 127.0.0.1/32md5
to
hostall all 127.0.0.1/32trust

I have to create a user without a password (beside the admin/postgres),
too.



why not connect as postgres://puser:somepass@localhost/dbname

and create puser with a password ?   that way mucking with configuration 
files is not required.





--
john r pierce, recycling bits in santa cruz



--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] [pg_hba.conf] publish own Python application using PostgreSQL

[c.buhtz]

On 2015-07-05 15:11 Charles Clavadetscher 
wrote:
> I am not really an expert, but from your description I guess that you 
> assume an existing PostgreSQL installation on your customers' server.

The application is a simple open source using a local PostgreSQL
database. The customer is just any user out there.
I guess the PostgreSQL instance itself is in most cases fresh/virgin
installed without any configuration done by the user.

> I would not like to install applications that change settings in
> pg_hba.conf

I know that this is a bad solution. It is just a workaround for my
development environment. I just explained that modifications here to
show how bad my workaround is and how less I know about PostgreSQL.

I read unspecific things about a "configuration file" for the
application that make it possible to get access to PostgreSQL without
having root-access to it. But I don't know details about it.
What could this be?

Is it possible for the user to install a PostgreSQL-using application
(including a fresh install and default-configured PostgreSQL) without
modifying the PostgreSQL-configuration?


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] [pg_hba.conf] publish own Python application using PostgreSQL

[Charles Clavadetscher]

Hi

I am not really an expert, but from your description I guess that you 
assume an existing PostgreSQL installation on your customers' server. If 
that is the case you probably won't get around giving instructions to 
your customer and let them do the change. I would not like to install 
applications that change settings in pg_hba.conf on my server. Besides 
you may consider limiting the trust access to the specific user and 
specific database that your application needs to access.


Bye
Charles

On 7/5/2015 12:15, c.bu...@posteo.jp wrote:

I have my own Python application using a PostgreSQL database over
SQLAlchemy.

Currently I pack the application in a deb-file.
After installation (on a fresh system! Ubuntu 14.04.2) it doesn't run
because of some PostgreSQL-settings.
Of course I understand why and I know (a little bit) which settings I
have to do to make it run.

But the point is I don't want to plague my user to do that.

How could this be solved?
How can I release a application using a local PostgreSQL-database.
I am not sure if the modifications I do are correct or elegant (see
below).

These are the modification I have to do to make my application run with
the connetion string "postgres://puser@localhost/FoobarTest".

The settings are about
the /etc/postgresql/9.3/main/pg_hba.conf file.
There I change this line
hostall all 127.0.0.1/32md5
to
hostall all 127.0.0.1/32trust

I have to create a user without a password (beside the admin/postgres),
too.





--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

[GENERAL] [pg_hba.conf] publish own Python application using PostgreSQL

[c.buhtz]

I have my own Python application using a PostgreSQL database over
SQLAlchemy.

Currently I pack the application in a deb-file.
After installation (on a fresh system! Ubuntu 14.04.2) it doesn't run
because of some PostgreSQL-settings.
Of course I understand why and I know (a little bit) which settings I
have to do to make it run.

But the point is I don't want to plague my user to do that.

How could this be solved?
How can I release a application using a local PostgreSQL-database.
I am not sure if the modifications I do are correct or elegant (see
below).

These are the modification I have to do to make my application run with
the connetion string "postgres://puser@localhost/FoobarTest".

The settings are about
the /etc/postgresql/9.3/main/pg_hba.conf file.
There I change this line
hostall all 127.0.0.1/32md5
to
hostall all 127.0.0.1/32trust

I have to create a user without a password (beside the admin/postgres),
too.


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf analysis tool

[salah jubeh]

>We are in the process of talking about this:

>    http://www.postgresql.org/message-id/86fvnm5t44@jerry.enova.com

> I know of no tool currently available.
Thank you, for the reply. I think, my case might be a little bit different.
I am working with several clusters and I find sometimes pg_hba rules which does 
not make sense. So, a tool which could give hints or detect bad configurations 
might help. 

For example

local   all appl1  trust
local   all appl1  md5

Or   
host    all all IP_ADDRESS/24   md5
host    all all IP_ADDRESS/32   md5

OR 
host    all all IP_ADDRESS/24   reject
host    all all IP_ADDRESS/32   md5
OR
host    all all IP_ADDRESS1/32   md5
host    all all IP_ADDRESS2/32   md5
host    all all IP_ADDRESS3/32   md5
host    all all IP_ADDRESS4/32   md5

which could be replaced 
host    all all IP_ADDRESS1/24   md5

Regards




On Friday, February 14, 2014 4:39 PM, Bruce Momjian  wrote:
 
On Fri, Feb 14, 2014 at 07:28:38AM -0800, salah jubeh wrote:

> Hello,
> 
> I am looking for a tool that could help me in analyzing the pg_hab.conf file.
> For example , detecting duplicates, unused entries, and overlaping entries.

We are in the process of talking about this:

    http://www.postgresql.org/message-id/86fvnm5t44@jerry.enova.com


I know of no tool currently available.

-- 
  Bruce Momjian          http://momjian.us
  EnterpriseDB                            http://enterprisedb.com

  + Everyone has their own god. +


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf analysis tool

[Bruce Momjian]

On Fri, Feb 14, 2014 at 07:28:38AM -0800, salah jubeh wrote:
> Hello,
> 
> I am looking for a tool that could help me in analyzing the pg_hab.conf file.
> For example , detecting duplicates, unused entries, and overlaping entries.

We are in the process of talking about this:

http://www.postgresql.org/message-id/86fvnm5t44@jerry.enova.com


I know of no tool currently available.

-- 
  Bruce Momjian  http://momjian.us
  EnterpriseDB http://enterprisedb.com

  + Everyone has their own god. +


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

[GENERAL] pg_hba.conf analysis tool

[salah jubeh]

Hello,

I am looking for a tool that could help me in analyzing the pg_hab.conf file. 
For example , detecting duplicates, unused entries, and overlaping entries.

Regards

Re: [GENERAL] pg_hba.conf broken after cluster upgrade

[Adrian Klaver]

On 10/16/2013 05:03 PM, John R Pierce wrote:

On 10/16/2013 4:56 PM, Adrian Klaver wrote:

I have never seen this  in a pg_hba,conf. Of
course I don't get out much:) Not sure of its purpose. It seems to be
in the place of the IP mask.


i think thats an email program artifact, trying to treat an IP as a URL




Yea, you are right it showed up in the reply not the original message, 
time for that beer.


--
Adrian Klaver
adrian.kla...@gmail.com


--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf broken after cluster upgrade

[John R Pierce]

On 10/16/2013 4:56 PM, Adrian Klaver wrote:
I have never seen this  in a pg_hba,conf. Of 
course I don't get out much:) Not sure of its purpose. It seems to be 
in the place of the IP mask.


i think thats an email program artifact, trying to treat an IP as a URL


--
john r pierce  37N 122W
somewhere on the middle of the left coast



--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf broken after cluster upgrade

[Adrian Klaver]

On 10/16/2013 04:20 PM, Bob Jolliffe wrote:

CCing the list so more eyes can see thid.


Hi Adrian

Sure.  Here are 6 versions of complete pg_hba.conf files:

1.  This works (note the auth method is peer not ident.  my first post
had an error).  Complete one line pg_hba.conf file:

local all postgres peer

2.  This also works. Another one liner

host all all 127.0.0.1/32  md5

3.  This doesn't work

local all postgres peer
host all all 127.0.0.1/32  md5

4.  Neither does this

host all all 127.0.0.1/32  md5
local all postgres peer

5.  This works

host all all 127.0.0.1/32  md5
# local all postgres peer

6.  But this doesn't work

# host all all 127.0.0.1/32  md5
local all postgres peer

Failing with the error:
2013-10-16 22:46:55 GMT LOG:  configuration file
"/etc/postgresql/9.2/main/pg_hba.conf" contains no entries

It seems clear to me now looking at 5 and 6 that there seems to be a
problem parsing the newline which would also be consistent with the
earlier 4.  I've verified with hexl-mode in emacs that there are no
funny hidden characters and the lines are terminated by a single 0x0a
character.

Can't figure out how it can be possible.  The other files eg.
postgresql.conf are obviously being read fine.



I have never seen this  in a pg_hba,conf. Of course 
I don't get out much:) Not sure of its purpose. It seems to be in the 
place of the IP mask.




Bob




--
Adrian Klaver
adrian.kla...@gmail.com


--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf broken after cluster upgrade

[Adrian Klaver]

On 10/16/2013 09:46 AM, Bob Jolliffe wrote:

Hello

I just upgraded my postgresql server from 8.4 to 9.2 on ubuntu linux
12.04.  I installed the new version then used pg_upgrade to upgrade and
replicate the cluster from the old server to the new.

Everything appears to have worked well except that I am left with a
problem with my pg_hba.conf file.  For some strange reason it only
accepts a single line.  So by default I had just:

local all postgres ident

All attempts to add any additional lines to this file, such as

  host all all 127.0.0.1/32  md5

  lead to the following error on startup:

2013-10-16 16:43:41 GMT LOG:  authentication option not in name=value
format: local
2013-10-16 16:43:41 GMT CONTEXT:  line 1 of configuration file
"/etc/postgresql/9.2/main/pg_hba.conf"
2013-10-16 16:43:41 GMT FATAL:  could not load pg_hba.conf

Note that either the host line or the local line on their own are fine.
  But any attempt to have more than one line (in any order) leads to
this error.

Any idea what on earth can I have done and how can I fix it?



Can you show a cut and paste of the pg_hba.conf starting before the 
local line and extending below the next line?





Bob



--
Adrian Klaver
adrian.kla...@gmail.com


--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

[GENERAL] pg_hba.conf broken after cluster upgrade

[Bob Jolliffe]

Hello

I just upgraded my postgresql server from 8.4 to 9.2 on ubuntu linux 12.04.
 I installed the new version then used pg_upgrade to upgrade and replicate
the cluster from the old server to the new.

Everything appears to have worked well except that I am left with a problem
with my pg_hba.conf file.  For some strange reason it only accepts a single
line.  So by default I had just:

local all postgres ident

All attempts to add any additional lines to this file, such as

 host all all 127.0.0.1/32 md5

 lead to the following error on startup:

2013-10-16 16:43:41 GMT LOG:  authentication option not in name=value
format: local
2013-10-16 16:43:41 GMT CONTEXT:  line 1 of configuration file
"/etc/postgresql/9.2/main/pg_hba.conf"
2013-10-16 16:43:41 GMT FATAL:  could not load pg_hba.conf

Note that either the host line or the local line on their own are fine.
 But any attempt to have more than one line (in any order) leads to this
error.

Any idea what on earth can I have done and how can I fix it?

Bob

Re: [GENERAL] pg_hba.conf directory?

[Craig Ringer]

On 11/09/2012 04:49 AM, Matt Zagrabelny wrote:
> Hello,
>
> I've searched the mailing list archives and google regarding using a
> directory to contain pg_hba.conf snippets. Does such a feature exist
> for any version of PG?
Oh, by the way; proposals are currently being discussed on pgsql-hackers
about making it possible to modify postgresql.conf via SQL commands.
This might be a good time to mention your interest in supporting a
snippet directory. See the thread by Amit Kapila subject "Proposal for
Allow postgresql.conf values to be changed via SQL".

--
Craig Ringer


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf directory?

[Craig Ringer]

On 11/09/2012 04:49 AM, Matt Zagrabelny wrote:
> Hello,
>
> I've searched the mailing list archives and google regarding using a
> directory to contain pg_hba.conf snippets. Does such a feature exist
> for any version of PG?
If I understand you correctly, you want a `pg_hba.conf.d` where
PostgreSQL reads every file in `pg_hba.conf.d` in alphabetical order and
concatenates it to the contents of `pg_hba.conf`? So effectively you can
create a `pg_hba.conf` from a bunch of small files?

If so: No, there is no such feature in PostgreSQL. You might be able to
come up with a convincing argument for the creation of one, especially
if you made it generic enough that it also worked for postgresql.conf,
but you probably won't get enough interest for someone else to write it.
If you want the feature you'll probably need to write it yourself -
after asking on pgsql-hackers to make sure there are no objections to
the idea and that your design is reasonable.


What you CAN do is simulate the feature using init scripts. Have your
PostgreSQL start/stop scripts do something like:

cat pg_hba.conf.head pg_hba.conf.d/* pg_hba.conf.tail > pg_hba.conf

(Note that the glob will sort alphabetically at least in bash; see
http://superuser.com/questions/192280/does-bashs-match-files-in-alphanumeric-order)

Make sure to put prominent comments in pg_hba.conf.head and
pg_hba.conf.tail that explain that pg_hba.conf is a generated file, so
people don't edit it then wonder why it's overwritten.

You'll need to provide a "reload" command that rewrites pg_hba.conf and
then signals PostgreSQL to reload or uses pg_ctl reload, as well as the
usual start and stop commands.

--
Craig Ringer

[GENERAL] pg_hba.conf directory?

[Matt Zagrabelny]

Hello,

I've searched the mailing list archives and google regarding using a
directory to contain pg_hba.conf snippets. Does such a feature exist
for any version of PG?

Would this be a better question for a pg dev mailing list?

Please Cc me, I am not (yet) subscribed to the list.

Thanks!

-Matt Zagrabelny


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf

[A. Kretschmer]

In response to quickinfo quickinfo :
> Dear all,
> 
> I am using postgres. when I try to connect to the database it is showing me
> following error. Please look into that and help me out.
> 
> an error occurred:
> 
> FATAL: no pg_hba.conf entry for host "127.0.0.1", user "postgres", database
> "template1", SSL off.
> 
> How do I proceed with this error. What are the things I need to change.

You have to read the doc about the hba-file first!
http://www.postgresql.org/docs/current/static/client-authentication.html

Usually you should not work as user postgres...

Andreas
-- 
Andreas Kretschmer
Kontakt:  Heynitz: 035242/47150,   D1: 0160/7141639 (mehr: -> Header)
GnuPG: 0x31720C99, 1006 CCB4 A326 1D42 6431  2EB0 389D 1DC2 3172 0C99

-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

[GENERAL] pg_hba.conf

[quickinfo quickinfo]

Dear all,

I am using postgres. when I try to connect to the database it is showing me
following error. Please look into that and help me out.

an error occurred:

FATAL: no pg_hba.conf entry for host "127.0.0.1", user "postgres", database
"template1", SSL off.

How do I proceed with this error. What are the things I need to change.

Thank you in advance

Re: [GENERAL] pg_hba.conf

[Piotr Kublicki]

I had a similar problem: older versions of Postgres have IP addressing in
one column and subnetting/mask in the next one. 8.4 uses CIDR expression in
one column - applying CIDR notation solved my problem. I think it's
advisable to manually correct the pg_hba.conf file instead of replacing it
with the old configuration file from the older version of Postgres.

Cheers, Pete



From:   Scott Mead 
To: jkun...@laurcat.com
Cc: postgres help 
Date:   28/04/2010 18:41
Subject:Re: [GENERAL] pg_hba.conf
Sent by:pgsql-general-ow...@postgresql.org




On Tue, Apr 27, 2010 at 6:42 AM,  wrote:
  I am putting up a new server on version 8.4.3.  I copied pg_hba.conf
  from a running 8.3.6 system, changing only the public IP address for the
  local machine.

  I get the error:
  FATAL: no pg_hba.conf entry for host "209.159.145.248", user "postgres",
  database "arc"

  pg_hba.conf contains the line:
   host    all         all        209.159.145.248      255.255.255.255
  trust


Hmm, just for giggles, does it work using CIDR syntax:

  host    all         all        209.159.145.248/32    trust

 ?

--Scott

--
Scott Mead
Principal Systems Engineer
EnterpriseDB Corporation
The Enterprise Postgres Company

  Other records work (I can connect from my remote site using pgAdmin,
  just fine), so I know the file is being read by posgres.

  Any ideas?

  Thanks in advance,
  Jim


  --
  Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
  To make changes to your subscription:
  http://www.postgresql.org/mailpref/pgsql-general

This email (and attachments) are confidential and intended for the addressee(s) 
only. If you are not the intended recipient please notify the sender, 
delete any copies and do not take action in reliance on it. Any views expressed 
are the author's and do not represent those of IOP, except where specifically 
stated. IOP takes reasonable precautions to protect against viruses but accepts 
no responsibility for loss or damage arising from virus infection. 
For the protection of IOP's systems and staff emails are scanned 
automatically.” 

Institute of Physics Registered in England under Registration No 293851 
Registered Office:  76/78 Portland Place, London W1B 1NT  

Re: [GENERAL] pg_hba.conf

[Scott Mead]

On Tue, Apr 27, 2010 at 6:42 AM,  wrote:

> I am putting up a new server on version 8.4.3.  I copied pg_hba.conf
> from a running 8.3.6 system, changing only the public IP address for the
> local machine.
>
> I get the error:
> FATAL: no pg_hba.conf entry for host "209.159.145.248", user "postgres",
> database "arc"
>
> pg_hba.conf contains the line:
>  hostall all209.159.145.248  255.255.255.255
> trust
>
>
Hmm, just for giggles, does it work using CIDR syntax:

  hostall all209.159.145.248/32trust

 ?

--Scott

--
Scott Mead
Principal Systems Engineer
EnterpriseDB Corporation
The Enterprise Postgres Company


> Other records work (I can connect from my remote site using pgAdmin,
> just fine), so I know the file is being read by posgres.
>
> Any ideas?
>
> Thanks in advance,
> Jim
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>

Re: [GENERAL] pg_hba.conf

[Chris Barnes]

I've had problems before with the listen_addresses and had to set it 
accordingly. Wouldn't accept connections locally.

listen_addresses = '*'  # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost', '*' = all
# (change requires restart)
port = 5432   

> Date: Tue, 27 Apr 2010 21:08:31 +0900
> From: ketan...@ashisuto.co.jp
> To: pgsql-general@postgresql.org
> Subject: Re: [GENERAL] pg_hba.conf
> 
> Hi
> 
>  >Would there be a line earlier in the file that matches and is preventing
>  >a connection?
> 
> At first, I think so too.
> But if there is a line earlier in the file ,we get following error.
> 
> 
> psql: could not connect to server: Connection refused
>  Is the server running on host "192.168.23.132" and accepting
>  TCP/IP connections on port 1843?
> 
> 
> ex: my pg_hba.conf
> 
> hostall all 192.168.23.132 255.255.255.255   deny
> hostall all 192.168.23.132 255.255.255.255   trust
> 
> 
> 
> The Jim's message say pg_hba.conf has no entory.
> 
> 
> FATAL: no pg_hba.conf entry for host "209.159.145.248", user "postgres",
> database "arc"
> 
> 
> 1)Is pg_hba.conf's location correct?
>   You can check to execute this command.
> 
> postgres=# show hba_file;
> hba_file
> ---
>   /home/p843/pgdata/pg_hba.conf
> (1 row)
> 
> 2)Did you reload pg_hba.conf?
> If we change pg_hba.conf ,we must execute "pg_ctl reload"
> 
> 3)pg_hba.conf may have a trash.
>Can you recreate pg_hba.conf?
>*Don't copy old pg_hba.conf.
> 
> 
> Thank you.
> 
> > On 27/04/2010 11:42, jkun...@laurcat.com wrote:
> >
> >> I am putting up a new server on version 8.4.3.  I copied pg_hba.conf
> >> from a running 8.3.6 system, changing only the public IP address for the
> >> local machine.
> >>
> >> I get the error:
> >> FATAL: no pg_hba.conf entry for host "209.159.145.248", user "postgres",
> >> database "arc"
> >>
> >> pg_hba.conf contains the line:
> >>   hostall all209.159.145.248  255.255.255.255
> >> trust
> >>  
> > Would there be a line earlier in the file that matches and is preventing
> > a connection?
> >
> > Ray.
> >
> >
> 
> 
> -- 
> 
> Kenichiro Tanaka
> K.K.Ashisuto
> http://www.ashisuto.co.jp/english/index.html
> 
> 
> 
> -- 
> Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
  
_
Hotmail & Messenger are available on your phone. Try now.
http://go.microsoft.com/?linkid=9724461

Re: [GENERAL] pg_hba.conf

[Kenichiro Tanaka]

Hi

>Would there be a line earlier in the file that matches and is preventing
>a connection?

At first, I think so too.
But if there is a line earlier in the file ,we get following error.


psql: could not connect to server: Connection refused
Is the server running on host "192.168.23.132" and accepting
TCP/IP connections on port 1843?


ex: my pg_hba.conf

hostall all 192.168.23.132 255.255.255.255   deny
hostall all 192.168.23.132 255.255.255.255   trust



The Jim's message say pg_hba.conf has no entory.


FATAL: no pg_hba.conf entry for host "209.159.145.248", user "postgres",
database "arc"


1)Is pg_hba.conf's location correct?
 You can check to execute this command.

postgres=# show hba_file;
   hba_file
---
 /home/p843/pgdata/pg_hba.conf
(1 row)

2)Did you reload pg_hba.conf?
If we change pg_hba.conf ,we must execute "pg_ctl reload"

3)pg_hba.conf may have a trash.
  Can you recreate pg_hba.conf?
  *Don't copy old pg_hba.conf.


Thank you.


On 27/04/2010 11:42, jkun...@laurcat.com wrote:
   

I am putting up a new server on version 8.4.3.  I copied pg_hba.conf
from a running 8.3.6 system, changing only the public IP address for the
local machine.

I get the error:
FATAL: no pg_hba.conf entry for host "209.159.145.248", user "postgres",
database "arc"

pg_hba.conf contains the line:
  hostall all209.159.145.248  255.255.255.255
trust
 

Would there be a line earlier in the file that matches and is preventing
a connection?

Ray.

   



--

Kenichiro Tanaka
K.K.Ashisuto
http://www.ashisuto.co.jp/english/index.html



--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf

[Raymond O'Donnell]

On 27/04/2010 11:42, jkun...@laurcat.com wrote:
> I am putting up a new server on version 8.4.3.  I copied pg_hba.conf
> from a running 8.3.6 system, changing only the public IP address for the
> local machine.
> 
> I get the error:
> FATAL: no pg_hba.conf entry for host "209.159.145.248", user "postgres",
> database "arc"
> 
> pg_hba.conf contains the line:
>  hostall all209.159.145.248  255.255.255.255
> trust

Would there be a line earlier in the file that matches and is preventing
a connection?

Ray.

-- 
Raymond O'Donnell :: Galway :: Ireland
r...@iol.ie

-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

[GENERAL] pg_hba.conf

[jkunkel]

I am putting up a new server on version 8.4.3.  I copied pg_hba.conf
from a running 8.3.6 system, changing only the public IP address for the
local machine.

I get the error:
FATAL: no pg_hba.conf entry for host "209.159.145.248", user "postgres",
database "arc"

pg_hba.conf contains the line:
 hostall all209.159.145.248  255.255.255.255
trust

Other records work (I can connect from my remote site using pgAdmin,
just fine), so I know the file is being read by posgres.

Any ideas?

Thanks in advance,
Jim


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf - Allow All Connections Over TCP/IP Networks

[John R Pierce]

Wang, Mary Y wrote:

Hi,

I'd like to allow all connections over TCP/IP networks.  So could I just add 
the following line to the pg_hba.conf in the $PGDATA directory?
"host   all *   trust"

The database server is located inside a firewall.

  



   host all all 0.0.0.0/0 trust

or


   host all all 192.168.0.0/24 trust

(or whatever your subnet is in CIDR style network/size notation)

of course, you also need

   listen_address = '*'

in your postgresql.conf so the server is listening on all network interfaces

Personally, I still prefer to use md5 rather than trust and use password 
authentication for LAN connections.




--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

[GENERAL] pg_hba.conf - Allow All Connections Over TCP/IP Networks

[Wang, Mary Y]

Hi,

I'd like to allow all connections over TCP/IP networks.  So could I just add 
the following line to the pg_hba.conf in the $PGDATA directory?
"host   all *   trust"

The database server is located inside a firewall.

Thanks
Mary




-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

[GENERAL] pg_hba.conf problem in PostgreSQL 8.4 (no-installer)

[Paweł Nieścioruk]

Hello,

I'm developing JSF web application in Java with Tomcat and PostgreSQL on 
the server. I use  PostgreSQL 8.x NO INSTALLER version (zip file).
Everything work fine until I moved from PostgreSQL 8.2 to PostgreSQL 8.4 
- now I have problems with starting registered PostgreSQL service on 
Windows XP Prof or Windows Vist (Home Premium). The problem is connected 
with pg_hba.conf entries.


Detailed description of the whole process:

My Java code registers PostgeSQL service under Windows by executing 
command:
"C:\Program Files\MyApplication\database/bin/pg_ctl" -D "C:\Program 
Files\MyApplication\database\data" register -N PostgreSQL_Service
It works OK (I am doing this on local account with administrator 
privilleges, I have database cluster generated before) - the service is 
registered for Local Service Account. Now my Java code tries to start 
the service using command "sc.exe start PostgreSQL_Service". And this fails.


I would like to use ONE COMMON pg_hba.conf file for XP and Vista. When I 
had PostgreSQL 8.2 version, the file has those entries:


# IPv4 local connections:
hostall root 127.0.0.1/32  md5
# IPv6 local connections:
hostallroot::1/32md5

And it WORKED OK for BOTH Windows XP and Vista. Now we changed 
PostgreSQL to version 8.4 (still no-installer version) and our 
pg_hba.conf file looks like this now:


# IPv4 local connections:
hostall all 127.0.0.1/32  md5
# IPv6 local connections:
hostall all ::1/128   md5

When last line (IPv6) is present it, registered service does NOT start 
under Windows XP BUT WORKS under Vista  (this XP windows have only IPv4 
protocol and it is enabled, Vista have both IPv4 and IPv6 installed and 
enabled) - in the Windows Events Log I see error saying: FATAL:  could 
not load pg_hba.conf.


When last line is removed (or commented), registered service starts and 
WORKS under XP, BUT under VISTA I see error during startup saying about 
missing entry for host ::1.


I don't use any antivirus/firewall during the test (it was tested under 
clean Windows installation, standard firewall was deactivated also).


The questions are:
1. Is it possible to have such common pg_hba.conf file for XP and Vista
2. Why it worked OK under PostgreSQL 8.2 and under 8.4 it stopped 
working (is it somehow connected with fully parsing pg_hba.conf describe 
here:  
http://www.postgresql.org/docs/8.4/static/release-8-4.html#RELEASE-8-4-PG-HBA-CONF)


Regards,
Pawel



--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Re: [GENERAL] pg_hba.conf use hostname not IP

[Alvaro Herrera]

Bessette-Halsema, Dominique E. wrote:

> Is there a way to use the hostname that is in the /etc/hosts file
> instead of the IP address in pg_hba.conf

No.  It has been discussed but we've not found a good way in which it
should work.

-- 
Alvaro Herrerahttp://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support

-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

[GENERAL] pg_hba.conf use hostname not IP

[Bessette-Halsema, Dominique E.]

Hi

 

Is there a way to use the hostname that is in the /etc/hosts file
instead of the IP address in pg_hba.conf

 

Dominique Bessette

SAIC

(858) 826-9182

 

Re: [GENERAL] pg_hba.conf - md5

[Joshua D. Drake]

Vince wrote:

I want to access by postgre db over the internet.  My pg_hba.conf if
setup to do this:
hostall all 0.0.0.0/0md5

Now, what I don't understand is how does the "md5" effect things?

If I connect via php:
$db = pg_connect('host=xx.xx.xx.xx port=5433 dbname=MYDB user=postgres
password=mypass');

"mypass" being whatever my password is; is still set in plain text?


No the resultant md5 hash is.


Why don't I have to send the md5 version of the password to connect?



THe driver does it.

Joshua D. Drake



Thanks,
Vince.

---(end of broadcast)---
TIP 3: Have you checked our extensive FAQ?

  http://www.postgresql.org/docs/faq




--

  === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive  PostgreSQL solutions since 1997
 http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
PostgreSQL Replication: http://www.commandprompt.com/products/


---(end of broadcast)---
TIP 2: Don't 'kill -9' the postmaster

Re: [GENERAL] pg_hba.conf - md5

[Michael Fuhr]

On Sat, Jun 09, 2007 at 02:43:06AM -0700, Vince wrote:
> I want to access by postgre db over the internet.  My pg_hba.conf if
> setup to do this:
> hostall all 0.0.0.0/0 md5
> 
> Now, what I don't understand is how does the "md5" effect things?

It causes the password exchange between the client and the server
to hash the user's password with a salt (random value) that the
server sends.  This prevents the password from being passed in the
clear and it aims to prevent replay attacks, where an attacker who
had sniffed a previous session could respond to the server's challenge
without knowing the password by resending the same response it had
seen before (such an attack would still work in the unlikely -- but
possible -- event that the attacker had sniffed a previous session
that used the same salt).

MD5 authentication works like this:

Client: username, databasename
Server: MD5 authentication, salt
Client: MD5(MD5(password || username) || salt)

The server performs the same calculation (the user's password is
typically already stored in the system catalogs as MD5(password ||
username).  If the results match then authentication succeeds.

> If I connect via php:
> $db = pg_connect('host=xx.xx.xx.xx port=5433 dbname=MYDB user=postgres
> password=mypass');
> 
> "mypass" being whatever my password is; is still set in plain text?

No.

> Why don't I have to send the md5 version of the password to connect?

Because libpq (or whatever underlying library you're using) does
that for you.

If you want to allow connections over an open network then consider
using SSL and allowing only hostssl connections from everywhere
except trusted networks.

http://www.postgresql.org/docs/8.2/interactive/ssl-tcp.html

The server could optionally require the client to present a certificate
signed by a specific CA and the client could require the same of the
server; see the discussion of root.crt for more information.

-- 
Michael Fuhr

---(end of broadcast)---
TIP 6: explain analyze is your friend

[GENERAL] pg_hba.conf - md5

[Vince]

I want to access by postgre db over the internet.  My pg_hba.conf if
setup to do this:
hostall all 0.0.0.0/0   md5

Now, what I don't understand is how does the "md5" effect things?

If I connect via php:
$db = pg_connect('host=xx.xx.xx.xx port=5433 dbname=MYDB user=postgres
password=mypass');

"mypass" being whatever my password is; is still set in plain text?
Why don't I have to send the md5 version of the password to connect?

Thanks,
Vince.

---(end of broadcast)---
TIP 3: Have you checked our extensive FAQ?

  http://www.postgresql.org/docs/faq

Re: [GENERAL] pg_hba.conf

[Tom Allison]

Tom Lane wrote:

Tom Allison <[EMAIL PROTECTED]> writes:

host   allall127.0.0.1/32 md5
hostsslallall192.168.0.1/24   md5

   ^^

That needs to be 192.168.0.0/24 ... as is, it won't match anything.

But I have a localhost client that can't log in because it keeps trying to 
authenticate via SSL.




Sorry, I mixed it up.

Copying from the pg_hba.conf:

# Database administrative login by UNIX sockets
local   all postgres  ident sameuser

# TYPE  DATABASEUSERCIDR-ADDRESS  METHOD

# "local" is for Unix domain socket connections only
local   all all   md5
# IPv4 local connections:
hostdbmail  all 127.0.0.1/32  md5
hostall all 192.168.1.0/24md5
hostall all 192.168.0.0/24md5
# IPv6 local connections:
hostall all ::1/128   md5



I would like to be able to set change the lines maching 192.168...
to

hostssl   all   all   192.168

and set ssl=true in postgres.conf

But when I do, the localhost connections try to do ssl first and then fail.

Setting
hostnossl  dbmail   all 127.0.0.1/32  md5

didn't seem to help but I might have missed something at the time.

---(end of broadcast)---
TIP 4: Have you searched our list archives?

  http://archives.postgresql.org/

Re: [GENERAL] pg_hba.conf

[Tom Lane]

Tom Allison <[EMAIL PROTECTED]> writes:
> host   allall127.0.0.1/32 md5
> hostsslallall192.168.0.1/24   md5
   ^^

That needs to be 192.168.0.0/24 ... as is, it won't match anything.

> But I have a localhost client that can't log in because it keeps trying to 
> authenticate via SSL.

That seems unrelated --- your first line should match any local-loopback
connection, regardless of SSL or not.

regards, tom lane

---(end of broadcast)---
TIP 5: don't forget to increase your free space map settings

Re: [GENERAL] pg_hba.conf

[Russell Smith]

Tom Allison wrote:

Ran into a mystery that I can't seem to figure out


I want to authenticate using SSL for all external IP addresses that I 
have in my subnet.  I also want to be able to authenticate via non-SSL 
for localhost (not unix socket).


I thought something like this would work:

host   allall127.0.0.1/32 md5
hostsslallall192.168.0.1/24   md5

But I have a localhost client that can't log in because it keeps 
trying to authenticate via SSL.


What am I doing wrong?  It seems simple enough.

What command are you typing?

#nonssl
postgres$ psql -h localhost postgres
#ssl
postgres$ psql -h 192.168.1.1 postgres



---(end of broadcast)---
TIP 5: don't forget to increase your free space map settings





---(end of broadcast)---
TIP 2: Don't 'kill -9' the postmaster

[GENERAL] pg_hba.conf

[Tom Allison]

Ran into a mystery that I can't seem to figure out


I want to authenticate using SSL for all external IP addresses that I have in my 
subnet.  I also want to be able to authenticate via non-SSL for localhost (not 
unix socket).


I thought something like this would work:

host   allall127.0.0.1/32 md5
hostsslallall192.168.0.1/24   md5

But I have a localhost client that can't log in because it keeps trying to 
authenticate via SSL.


What am I doing wrong?  It seems simple enough.

---(end of broadcast)---
TIP 5: don't forget to increase your free space map settings

Re: [GENERAL] pg_hba.conf errors

[Tom Lane]

"Bradley W. Dutton" <[EMAIL PROTECTED]> writes:
> Does anyone know if there were any updates to this issue?
> http://archives.postgresql.org/pgsql-hackers/2003-06/msg00195.php

That was fixed in 7.4, see sslmode connection option and PGSSLMODE
environment variable.

regards, tom lane

---(end of broadcast)---
TIP 6: explain analyze is your friend

[GENERAL] pg_hba.conf errors

[Bradley W. Dutton]

Hi,

Does anyone know if there were any updates to this issue?
http://archives.postgresql.org/pgsql-hackers/2003-06/msg00195.php

As it is now our web server running PHP attempts to connect to the DB
using SSL (which is off), the server rejects the connection, logs it, then
the client successfully connects without SSL. There isn't a real problem
per se, but I would like to get rid of the error messages:
Mar 31 15:07:16 db1 postgres[16474]: [4-1] FATAL:  no pg_hba.conf entry
for host  "", user "", database "", SSL on

Thanks for your time,
Brad


---(end of broadcast)---
TIP 2: Don't 'kill -9' the postmaster

Re: [GENERAL] Pg_hba.conf issues

[Raymond O'Donnell]

On 15 Feb 2006 at 15:44, Colin Shreffler wrote:

> host  all  all  192.168.0.0  255.255.255.0 trust

Is there any other, more restrictive, line *above* this one in the 
file? The order of entries does seem to make a difference.

--Ray.

-
Raymond O'Donnell http://www.galwaycathedral.org/recitals
[EMAIL PROTECTED]  Galway Cathedral Recitals
-


---(end of broadcast)---
TIP 5: don't forget to increase your free space map settings

Re: [GENERAL] Pg_hba.conf issues

[Tom Lane]

Colin Shreffler <[EMAIL PROTECTED]> writes:
> I have tried entering the following record in the file, but it does not
> grant me access.

(1) did you remember to sighup the postmaster after changing the file?
(2) what error message do you get *exactly*?  What shows up in the
postmaster log file?

regards, tom lane

---(end of broadcast)---
TIP 5: don't forget to increase your free space map settings

[GENERAL] Pg_hba.conf issues

[Colin Shreffler]

I am not able to successfully create an entry in the pg_hba.conf file to
enable remote access to my postgres database.

The postmaster process HAS been initialized to accept tcp/ip connections.

I have tried entering the following record in the file, but it does not
grant me access.

host  all  all  192.168.0.0  255.255.255.0 trust

NOTE: I'm trying to access the server using pgAdmin 3 on my dev machine.
Dev/Client machine is OS X Tiger and server is OS X Tiger Server.

I would think that this would be the least restrictive access for our local
area network.  I'm trying to get it to work in the least secure mode first
and then tighten down the security after I know its working.

Does anyone have any ideas?

Thanks,
Colin Shreffler



---(end of broadcast)---
TIP 2: Don't 'kill -9' the postmaster

Re: [GENERAL] pg_hba.conf changes without restarting postmaster

[Secrétariat]

If you launch your progress server at startup (in init.d),
you only have to type :
# service postgresql reload
It works fine.
Luc

- Original Message - 
From: "Christopher Browne" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, July 31, 2004 3:09 AM
Subject: Re: [GENERAL] pg_hba.conf changes without restarting postmaster


> After a long battle with technology, [EMAIL PROTECTED] (Si Chen), an
earthling, wrote:
> > It seems that every time I make a change to pg_hba.conf, I have to
> > restart the database server for the new authentication to take effect.
> > Is there a way to have the server use the new pg_hba.conf
> > authentication without restarting the production server.
>
> You NEVER need to restart the database server to reflect pg_hba.conf
> changes.
>
> The command "pg_ctl -D $PGDATA reload" will cause the server to reload
> the contents of pg_hba.conf, assuming PGDATA is appropriately set.
> Several other methods are possible, all of which ultimately amount to
> sending the signal SIGHUP to the postmaster.
> -- 
> (format nil "[EMAIL PROTECTED]" "cbbrowne" "ntlug.org")
> http://www3.sympatico.ca/cbbrowne/linux.html
> I found out why  cats drink out of the toilet. My  mother told me it's
> because it's cold in there. And I'm like: How did my mother know THAT?
> --Wendy Liebman
>
> ---(end of broadcast)---
> TIP 6: Have you searched our list archives?
>
>http://archives.postgresql.org
>
>


---(end of broadcast)---
TIP 9: the planner will ignore your desire to choose an index scan if your
  joining column's datatypes do not match

Re: [GENERAL] PG_HBA.conf still keeps complaining. I've done all I could imagine.

[Tom Lane]

[EMAIL PROTECTED] (Liza) writes:
> When I try to connect to the postgresql server in pgmanage, or through
> an ODBC from other windows machines I get a message:
> "missing or erroneous pg_hba.conf file"

> Here is my pg_hba.conf:

> local all trust
> host  10.1.9.0255.255.255.0   trust
> host  127.0.0.1   255.255.255.255 trust

What PG version was this?  Recent versions expect an additional column
(username) in pg_hba.conf.

regards, tom lane

---(end of broadcast)---
TIP 8: explain analyze is your friend

Re: [GENERAL] pg_hba.conf change in 7.4

[Bruce Momjian]

Seum-Lim Gan wrote:
> Hi Bruce,
> 
> I tried to newly compiled 7.4 with HAVE_IPV6 commented out
> in /src/include/pg_config.h.
> 
> After that I tried psql:
> 
> psql -U scncraft -h localhost
> psql: FATAL:  no pg_hba.conf entry for host "::1", user "scncraft", 
> database "A"
> 
> This happens the same way whether I have this line in pg_hba.conf or not:
> # IPv6-style local connections:
> hostall all ::1 
> ::::::
> :ident pspmap

Forget ident at this point.  Let's see if we can get your machine to use
the IPv4 line in pg_hba.conf.

Try this --- compile with IPv6 commented out, as you have done, then
remove the ::1 line from pg_hba.conf, and see if you can connect using
this:

> psql -U scncraft -h 127.0.0.1

and see what happens.  Is your 'localhost' mapped to an IPv4 OR IPv6
address?  Also, I am sure you realized you can connect without -h just
using unix domain sockets, but that will not allow you to use ident.

-- 
  Bruce Momjian|  http://candle.pha.pa.us
  [EMAIL PROTECTED]   |  (610) 359-1001
  +  If your life is a hard drive, |  13 Roberts Road
  +  Christ can be your backup.|  Newtown Square, Pennsylvania 19073

---(end of broadcast)---
TIP 7: don't forget to increase your free space map settings

Re: [GENERAL] pg_hba.conf change in 7.4

[Bruce Momjian]

Yes, I am not suspecting that there is something strange with that
Solaris installation.  Maybe everything is IPv6.  We certainly have lots
of Solaris users.

Are all Solaris connections coming in as IPv6?  That seems impossible
because we didn't support IPv6 in PostgreSQL 7.3 and it worked fine.
Now, I can see Solaris favoring IPv6 if we listen on IPv4 and IPv6, but
if you compiled with IPv6 disabled, we don't listen on that port and I
can't see how the connection could be coming in on IPv6.

I think you need to dig into Solaris to see what netstat shows and how
your localhost is mapped on your machine.

---

Joshua D. Drake wrote:
> Hello,
> 
>  Also solaris has an option to not use IPV6 at least with Solaris 9. 
> When we installed
> it it asked us if we wanted IPV6 support. We just said no.
> 
> Sincerely,
> 
> Joshua D. Drake
> 
> 
> Seum-Lim Gan wrote:
> 
> > Hi Bruce,
> >
> > Thanks for the recommendation.
> >
> > I will edit the pg_config.h file and comment out the
> > HAVE_IPV6 #define.
> > It is now defined as 0.
> >
> > Earlier on, I tried to set IPV6 to no or 0 in configure.ih
> > and then configure and rebuild but that did not work.
> >
> > Will let you know if commenting out the HAVE_IPV6 will work.
> >
> > Thanks.
> >
> > Gan
> >
> > At 11:28 am -0500 2003/12/6, Bruce Momjian wrote:
> >
> >> Seum-Lim Gan wrote:
> >>
> >>>  Hi Bruce,
> >>>
> >>>  I wonder if there is any recommendation to this ?
> >>>  Is there a way to configure PostgreSQL to not use
> >>>  IPv6 ?
> >>
> >>
> >> One idea is to edit include/pg_config.h and comment out HAVE_IPV6 and
> >> recompile and see if it works.  That will disable the postmaster from
> >> listening on IPv6.
> >>
> >> -- 
> >>   Bruce Momjian|  http://candle.pha.pa.us
> >>   [EMAIL PROTECTED]   |  (610) 359-1001
> >>   +  If your life is a hard drive, |  13 Roberts Road
> >>   +  Christ can be your backup.|  Newtown Square, 
> >> Pennsylvania 19073
> >>
> >> ---(end of broadcast)---
> >> TIP 3: if posting/reading through Usenet, please send an appropriate
> >>   subscribe-nomail command to [EMAIL PROTECTED] so that your
> >>   message can get through to the mailing list cleanly
> >
> >
> >
> 
> -- 
> Command Prompt, Inc., home of Mammoth PostgreSQL - S/ODBC - S/JDBC
> Postgresql support, programming, shared hosting and dedicated hosting.
> +1-503-222-2783 - [EMAIL PROTECTED] - http://www.commandprompt.com
> 
> 

-- 
  Bruce Momjian|  http://candle.pha.pa.us
  [EMAIL PROTECTED]   |  (610) 359-1001
  +  If your life is a hard drive, |  13 Roberts Road
  +  Christ can be your backup.|  Newtown Square, Pennsylvania 19073

---(end of broadcast)---
TIP 6: Have you searched our list archives?

   http://archives.postgresql.org

Re: [GENERAL] pg_hba.conf change in 7.4

[Joshua D. Drake]

Hello,

Also solaris has an option to not use IPV6 at least with Solaris 9. 
When we installed
it it asked us if we wanted IPV6 support. We just said no.

Sincerely,

Joshua D. Drake

Seum-Lim Gan wrote:

Hi Bruce,

Thanks for the recommendation.

I will edit the pg_config.h file and comment out the
HAVE_IPV6 #define.
It is now defined as 0.
Earlier on, I tried to set IPV6 to no or 0 in configure.ih
and then configure and rebuild but that did not work.
Will let you know if commenting out the HAVE_IPV6 will work.

Thanks.

Gan

At 11:28 am -0500 2003/12/6, Bruce Momjian wrote:

Seum-Lim Gan wrote:

 Hi Bruce,

 I wonder if there is any recommendation to this ?
 Is there a way to configure PostgreSQL to not use
 IPv6 ?


One idea is to edit include/pg_config.h and comment out HAVE_IPV6 and
recompile and see if it works.  That will disable the postmaster from
listening on IPv6.
--
  Bruce Momjian|  http://candle.pha.pa.us
  [EMAIL PROTECTED]   |  (610) 359-1001
  +  If your life is a hard drive, |  13 Roberts Road
  +  Christ can be your backup.|  Newtown Square, 
Pennsylvania 19073

---(end of broadcast)---
TIP 3: if posting/reading through Usenet, please send an appropriate
  subscribe-nomail command to [EMAIL PROTECTED] so that your
  message can get through to the mailing list cleanly



--
Command Prompt, Inc., home of Mammoth PostgreSQL - S/ODBC - S/JDBC
Postgresql support, programming, shared hosting and dedicated hosting.
+1-503-222-2783 - [EMAIL PROTECTED] - http://www.commandprompt.com


---(end of broadcast)---
TIP 9: the planner will ignore your desire to choose an index scan if your
 joining column's datatypes do not match

Re: [GENERAL] pg_hba.conf change in 7.4

[Seum-Lim Gan]

Hi Bruce,

I tried to newly compiled 7.4 with HAVE_IPV6 commented out
in /src/include/pg_config.h.
After that I tried psql:

psql -U scncraft -h localhost
psql: FATAL:  no pg_hba.conf entry for host "::1", user "scncraft", 
database "A"

This happens the same way whether I have this line in pg_hba.conf or not:
# IPv6-style local connections:
hostall all ::1 
::::::
:ident pspmap

Thanks.

Gan

At 8:48 am -0600 2003/12/7, Seum-Lim Gan wrote:
Hi Bruce,

I am rebuilding now and noticed some error that I may have missed
since the last time I build 7.4.
Essentially the postmaster, bin, lib have been built and server is able to
start and I am able to create a new DB and etc.
Will let you know if the commenting out the HAVE_IPV6 will work.
Meanwhile, the following probably needs to be looked at.
Some background: src/template/solaris has been changed to use -mt instead
of -pthread. Built with Sun Workshop in Solaris 9.
"pl_funcs.c", line 403: warning: argument #1 is incompatible with prototype:
prototype: pointer to const unsigned char : 
"../../../../src/include/mb/
pg_wchar.h", line 291
argument : pointer to char
UX tsort: INFORM: cycle in data
pl_comp.o
pl_gram.o
"plperl.c", line 317: undefined symbol: thr
"plperl.c", line 317: left operand of "->" must be pointer to struct/union
"plperl.c", line 323: left operand of "->" must be pointer to struct/union
"plperl.c", line 323: left operand of "->" must be pointer to struct/union
"plperl.c", line 323: left operand of "->" must be pointer to struct/union
"plperl.c", line 323: left operand of "->" must be pointer to struct/union
"plperl.c", line 437: undefined symbol: thr
"plperl.c", line 437: left operand of "->" must be pointer to struct/union
"plperl.c", line 443: left operand of "->" must be pointer to struct/union
"plperl.c", line 443: left operand of "->" must be pointer to struct/union
"plperl.c", line 443: left operand of "->" must be pointer to struct/union
"plperl.c", line 443: left operand of "->" must be pointer to struct/union
cc: acomp failed for plperl.c
make[3]: *** [plperl.o] Error 2
make[2]: *** [all] Error 2
make[1]: *** [all] Error 2


Yes, you have to comment it out like the other items in the file.

---

Seum-Lim Gan wrote:
 Hi Bruce,

 Thanks for the recommendation.

 I will edit the pg_config.h file and comment out the
 HAVE_IPV6 #define.
 It is now defined as 0.
 Earlier on, I tried to set IPV6 to no or 0 in configure.ih
 and then configure and rebuild but that did not work.
 Will let you know if commenting out the HAVE_IPV6 will work.

 Thanks.

 Gan

 At 11:28 am -0500 2003/12/6, Bruce Momjian wrote:
 >Seum-Lim Gan wrote:
 >>  Hi Bruce,
 >>
 >>  I wonder if there is any recommendation to this ?
 >>  Is there a way to configure PostgreSQL to not use
 >>  IPv6 ?
 >
 >One idea is to edit include/pg_config.h and comment out HAVE_IPV6 and
 >recompile and see if it works.  That will disable the postmaster from
 >listening on IPv6.
 >
 >--
 >   Bruce Momjian|  http://candle.pha.pa.us
 >   [EMAIL PROTECTED]   |  (610) 359-1001
 >   +  If your life is a hard drive, |  13 Roberts Road
 >   +  Christ can be your backup.|  Newtown Square, 
Pennsylvania 19073
 >
 >---(end of broadcast)---
 >TIP 3: if posting/reading through Usenet, please send an appropriate
 >   subscribe-nomail command to [EMAIL PROTECTED] so that your
 >   message can get through to the mailing list cleanly

 --
 ++
 | Seum-Lim GAN email : [EMAIL PROTECTED]  |
 | Lucent Technologies|
 | 2000 N. Naperville Road, 6B-403F  tel : (630)-713-6665 |
 | Naperville, IL 60566, USA.fax : (630)-713-7272 |
 |   web : http://inuweb.ih.lucent.com/~slgan |
 ++
 ---(end of broadcast)---
 TIP 8: explain analyze is your friend
--
  Bruce Momjian|  http://candle.pha.pa.us
  [EMAIL PROTECTED]   |  (610) 359-1001
  +  If your life is a hard drive, |  13 Roberts Road
  +  Christ can be your backup.|  Newtown Square, Pennsylvania 19073


--
++
| Seum-Lim GAN email : [EMAIL PROTECTED]  |
| Lucent Technologies|
| 2000 N. Naperville Road, 6B-403F  tel : (630)-713-6665 |
| Naperville, IL 60566, USA.fax : (630)-713-7272 |
|   web : http://inuweb.ih.lucent.com/~slgan |
++
---(end of broadcast)---
TIP 5: Have you checked our extensive FAQ?

Re: [GENERAL] pg_hba.conf change in 7.4

[Seum-Lim Gan]

Hi Bruce,

I am rebuilding now and noticed some error that I may have missed
since the last time I build 7.4.
Essentially the postmaster, bin, lib have been built and server is able to
start and I am able to create a new DB and etc.
Will let you know if the commenting out the HAVE_IPV6 will work.
Meanwhile, the following probably needs to be looked at.
Some background: src/template/solaris has been changed to use -mt instead
of -pthread. Built with Sun Workshop in Solaris 9.
"pl_funcs.c", line 403: warning: argument #1 is incompatible with prototype:
prototype: pointer to const unsigned char : 
"../../../../src/include/mb/
pg_wchar.h", line 291
argument : pointer to char
UX tsort: INFORM: cycle in data
pl_comp.o
pl_gram.o
"plperl.c", line 317: undefined symbol: thr
"plperl.c", line 317: left operand of "->" must be pointer to struct/union
"plperl.c", line 323: left operand of "->" must be pointer to struct/union
"plperl.c", line 323: left operand of "->" must be pointer to struct/union
"plperl.c", line 323: left operand of "->" must be pointer to struct/union
"plperl.c", line 323: left operand of "->" must be pointer to struct/union
"plperl.c", line 437: undefined symbol: thr
"plperl.c", line 437: left operand of "->" must be pointer to struct/union
"plperl.c", line 443: left operand of "->" must be pointer to struct/union
"plperl.c", line 443: left operand of "->" must be pointer to struct/union
"plperl.c", line 443: left operand of "->" must be pointer to struct/union
"plperl.c", line 443: left operand of "->" must be pointer to struct/union
cc: acomp failed for plperl.c
make[3]: *** [plperl.o] Error 2
make[2]: *** [all] Error 2
make[1]: *** [all] Error 2



Yes, you have to comment it out like the other items in the file.

---

Seum-Lim Gan wrote:
 Hi Bruce,

 Thanks for the recommendation.

 I will edit the pg_config.h file and comment out the
 HAVE_IPV6 #define.
 It is now defined as 0.
 Earlier on, I tried to set IPV6 to no or 0 in configure.ih
 and then configure and rebuild but that did not work.
 Will let you know if commenting out the HAVE_IPV6 will work.

 Thanks.

 Gan

 At 11:28 am -0500 2003/12/6, Bruce Momjian wrote:
 >Seum-Lim Gan wrote:
 >>  Hi Bruce,
 >>
 >>  I wonder if there is any recommendation to this ?
 >>  Is there a way to configure PostgreSQL to not use
 >>  IPv6 ?
 >
 >One idea is to edit include/pg_config.h and comment out HAVE_IPV6 and
 >recompile and see if it works.  That will disable the postmaster from
 >listening on IPv6.
 >
 >--
 >   Bruce Momjian|  http://candle.pha.pa.us
 >   [EMAIL PROTECTED]   |  (610) 359-1001
 >   +  If your life is a hard drive, |  13 Roberts Road
 >   +  Christ can be your backup.|  Newtown Square, 
Pennsylvania 19073
 >
 >---(end of broadcast)---
 >TIP 3: if posting/reading through Usenet, please send an appropriate
 >   subscribe-nomail command to [EMAIL PROTECTED] so that your
 >   message can get through to the mailing list cleanly

 --
 ++
 | Seum-Lim GAN email : [EMAIL PROTECTED]  |
 | Lucent Technologies|
 | 2000 N. Naperville Road, 6B-403F  tel : (630)-713-6665 |
 | Naperville, IL 60566, USA.fax : (630)-713-7272 |
 |   web : http://inuweb.ih.lucent.com/~slgan |
 ++
 ---(end of broadcast)---
 TIP 8: explain analyze is your friend
--
  Bruce Momjian|  http://candle.pha.pa.us
  [EMAIL PROTECTED]   |  (610) 359-1001
  +  If your life is a hard drive, |  13 Roberts Road
  +  Christ can be your backup.|  Newtown Square, Pennsylvania 19073


--
++
| Seum-Lim GAN email : [EMAIL PROTECTED]  |
| Lucent Technologies|
| 2000 N. Naperville Road, 6B-403F  tel : (630)-713-6665 |
| Naperville, IL 60566, USA.fax : (630)-713-7272 |
|   web : http://inuweb.ih.lucent.com/~slgan |
++
---(end of broadcast)---
TIP 5: Have you checked our extensive FAQ?
  http://www.postgresql.org/docs/faqs/FAQ.html

Re: [GENERAL] pg_hba.conf change in 7.4

[Seum-Lim Gan]

Title: Re: [GENERAL] pg_hba.conf change in
7.4


Hi Bruce,

I wonder if there is any recommendation to this ?
Is there a way to configure PostgreSQL to not use
IPv6 ?

We are also wonder if there is a version of Ident server
that the PostgreSQL community knows that will work
with IPv6.

Thanks.

Gan

At 11:37 am -0600 2003/11/20, Seum-Lim Gan wrote:
Hi Bruce,

We are using Sun Solaris 9 on Sparc.
uname -a :

SunOS test01 5.9 Generic_112233-04 sun4u
sparc SUNW,Ultra-80

Gan

At 12:29 pm -0500 2003/11/20, Bruce
Momjian wrote:
I think what happens is that when we
listen on IPv4 and IPv6, that all
connections get IPv6.  What OS are you using?

---

Seum-Lim Gan wrote:
> Hi Bruce,
>
> Thanks for the info.
> I captured the netstat output below.
>
> Looks like there is a bunch of IPv4 being used.
>
> Any idea how this can be resolved ?
>
> Thanks.
>
> Gan
>
> UDP: IPv6
> Local
Address
Remote Address
> State  If
> -
-
> -- -
>
localhost.35847  
localhost.35847  
Connected
>
> TCP: IPv4
> Local
Address    Remote
Address    Swind Send-Q Rwind Recv-Q  State
>   - -- -
-- ---
> localhost.32906 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.32906 
49152  0 49152 
0 ESTABLISHED
> localhost.32908 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.32908 
49152  0 49152 
0 ESTABLISHED
> localhost.32910 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.32910 
49152  0 49152 
0 ESTABLISHED
> localhost.32911 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.32911 
49152  0 49152 
0 ESTABLISHED
> localhost.32913 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.32913 
49152  0 49152 
0 ESTABLISHED
> localhost.32915 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.32915 
49152  0 49152 
0 ESTABLISHED
> localhost.32917 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.32917 
49152  0 49152 
0 ESTABLISHED
> localhost.32919 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.32919 
49152  0 49152 
0 ESTABLISHED
> localhost.32920 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.32920 
49152  0 49152 
0 ESTABLISHED
> localhost.32922 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.32922 
49152  0 49152 
0 ESTABLISHED
> localhost.32923 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.32923 
49152  0 49152 
0 ESTABLISHED
> localhost.32924 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.32924 
49152  0 49152 
0 ESTABLISHED
> localhost.32926 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.32926 
49152  0 49152 
0 ESTABLISHED
> localhost.32927 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.32927 
49152  0 49152 
0 ESTABLISHED
> localhost.33086 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.33086 
49152  0 49152 
0 ESTABLISHED
> localhost.33087 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.33087 
49152  0 49152 
0 ESTABLISHED
>
localhost.50882 
localhost.14502 
49152  0 49152 
0 ESTABLISHED
> localhost.14502 
localhost.50882 
49152  0 49152 
0 ESTABLISHED
> localhost.50883 
localhost.14500 
49152  0 49152 
0 ESTABLISHED
> localhost.14500 
localhost.50883 
49152  0 49152 
0 ESTABLISHED
>
> At 12:11 pm -0500 2003/11/20, Bruce Momjian wrote:
> >Seum-Lim Gan wrote:
> >>  Hi,
> >>
> >>  In 7.4, I noticed there is this ::1 and : (x8
of them)
> >>  for IPv6.
> >>
> >>  I looked at the documentation and there is nothing
that says
> >>  what the ::1 is for.
> >
> >The ::1 is a IPv6 shorthand for 127.0.0.1 (localhost).
> >
> >>  Commenting out that line will prevent access to
PostgreSQL
>

Re: [GENERAL] pg_hba.conf problem

[David Nedrow]

On Nov 30, 2003, at 21:01, Tom Lane wrote:

The only other idea I can think of is he's editing the wrong 
pg_hba.conf
file; we've seen a couple of people make that mistake.  (David, the
right pg_hba.conf file is the one in the $PGDATA directory.  If you
don't see a postmaster.pid file in the same directory that appears and
disappears when you start and stop the postmaster, then you're in the
wrong directory ...)


Ta-Da!

That was it. For some reason, I had an old pgsql/data tree laying 
around that I was futzing with. Looking for postmaster.pid did the 
trick.

What I can't figure out is how I was breaking "local" access by editing 
the non-local file. Maybe I was just too tired after 18 hours of 
debugging Mozilla stuff. 

Thanks for the help.

-David

---(end of broadcast)---
TIP 4: Don't 'kill -9' the postmaster

Re: [GENERAL] pg_hba.conf change in 7.4

[Seum-Lim Gan]

Hi Bruce,

We are using Sun Solaris 9 on Sparc. uname -a :

SunOS test01 5.9 Generic_112233-04 sun4u sparc SUNW,Ultra-80

Gan

At 12:29 pm -0500 2003/11/20, Bruce Momjian wrote:
I think what happens is that when we listen on IPv4 and IPv6, that all
connections get IPv6.  What OS are you using?
---

Seum-Lim Gan wrote:
 Hi Bruce,

 Thanks for the info.
 I captured the netstat output below.
 Looks like there is a bunch of IPv4 being used.

 Any idea how this can be resolved ?

 Thanks.

 Gan

 UDP: IPv6
 Local Address Remote Address
 State  If
 - -
 -- -
 localhost.35847   localhost.35847 
Connected

 TCP: IPv4
 Local AddressRemote AddressSwind Send-Q Rwind Recv-Q  State
   - -- - -- ---
 localhost.32906  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.32906  49152  0 49152 
0 ESTABLISHED
 localhost.32908  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.32908  49152  0 49152 
0 ESTABLISHED
 localhost.32910  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.32910  49152  0 49152 
0 ESTABLISHED
 localhost.32911  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.32911  49152  0 49152 
0 ESTABLISHED
 localhost.32913  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.32913  49152  0 49152 
0 ESTABLISHED
 localhost.32915  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.32915  49152  0 49152 
0 ESTABLISHED
 localhost.32917  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.32917  49152  0 49152 
0 ESTABLISHED
 localhost.32919  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.32919  49152  0 49152 
0 ESTABLISHED
 localhost.32920  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.32920  49152  0 49152 
0 ESTABLISHED
 localhost.32922  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.32922  49152  0 49152 
0 ESTABLISHED
 localhost.32923  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.32923  49152  0 49152 
0 ESTABLISHED
 localhost.32924  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.32924  49152  0 49152 
0 ESTABLISHED
 localhost.32926  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.32926  49152  0 49152 
0 ESTABLISHED
 localhost.32927  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.32927  49152  0 49152 
0 ESTABLISHED
 localhost.33086  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.33086  49152  0 49152 
0 ESTABLISHED
 localhost.33087  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.33087  49152  0 49152 
0 ESTABLISHED
 localhost.50882  localhost.14502  49152  0 49152 
0 ESTABLISHED
 localhost.14502  localhost.50882  49152  0 49152 
0 ESTABLISHED
 localhost.50883  localhost.14500  49152  0 49152 
0 ESTABLISHED
 localhost.14500  localhost.50883  49152  0 49152 
0 ESTABLISHED
 >
 At 12:11 pm -0500 2003/11/20, Bruce Momjian wrote:
 >Seum-Lim Gan wrote:
 >>  Hi,
 >>
 >>  In 7.4, I noticed there is this ::1 and : (x8 of them)
 >>  for IPv6.
 >>
 >>  I looked at the documentation and there is nothing that says
 >>  what the ::1 is for.
 >
 >The ::1 is a IPv6 shorthand for 127.0.0.1 (localhost).
 >
 >>  Commenting out that line will prevent access to PostgreSQL
 >>  from psql unless I put trust for that line.
 >>
 >>  This is what I had in 7.3.4:
 >>  hostall all 127.0.0.1 255.255.255.255
 >  > ident pspmap
 >>  local   all all 
password
 >>  hostall all 0.0.0.00.0.0.0  reject
 >>
 >>  But in 7.4, it does not work anymore. It seems to want ::1 to 
be somewhere.
 >>  If I change the line with ::1 from trust to ident pspmap, it 
complains that
 >>  the user cannot be found. But it is in the pspmap. Message fromm psql:
 >
 >Seems you have an OS that makes all connections IPv6, even IPv4 ones.
 >That is why we had to have that line in there.  Seems ::1 controls your
 >local connections on that platform.  Some platforms have distinct IPv4
 >and IPv6 connections, so we have to include both lines in the file.
 >
 >>  Right now, I have it set to trust to

Re: [GENERAL] pg_hba.conf change in 7.4

[Bruce Momjian]

I think what happens is that when we listen on IPv4 and IPv6, that all
connections get IPv6.  What OS are you using?

---

Seum-Lim Gan wrote:
> Hi Bruce,
> 
> Thanks for the info.
> I captured the netstat output below.
> 
> Looks like there is a bunch of IPv4 being used.
> 
> Any idea how this can be resolved ?
> 
> Thanks.
> 
> Gan
> 
> UDP: IPv6
> Local Address Remote Address 
> State  If 
> - - 
> -- -
> localhost.35847   localhost.35847   Connected
> 
> TCP: IPv4
> Local AddressRemote AddressSwind Send-Q Rwind Recv-Q  State
>   - -- - -- ---
> localhost.32906  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.32906  49152  0 49152  0 ESTABLISHED
> localhost.32908  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.32908  49152  0 49152  0 ESTABLISHED
> localhost.32910  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.32910  49152  0 49152  0 ESTABLISHED
> localhost.32911  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.32911  49152  0 49152  0 ESTABLISHED
> localhost.32913  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.32913  49152  0 49152  0 ESTABLISHED
> localhost.32915  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.32915  49152  0 49152  0 ESTABLISHED
> localhost.32917  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.32917  49152  0 49152  0 ESTABLISHED
> localhost.32919  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.32919  49152  0 49152  0 ESTABLISHED
> localhost.32920  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.32920  49152  0 49152  0 ESTABLISHED
> localhost.32922  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.32922  49152  0 49152  0 ESTABLISHED
> localhost.32923  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.32923  49152  0 49152  0 ESTABLISHED
> localhost.32924  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.32924  49152  0 49152  0 ESTABLISHED
> localhost.32926  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.32926  49152  0 49152  0 ESTABLISHED
> localhost.32927  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.32927  49152  0 49152  0 ESTABLISHED
> localhost.33086  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.33086  49152  0 49152  0 ESTABLISHED
> localhost.33087  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.33087  49152  0 49152  0 ESTABLISHED
> localhost.50882  localhost.14502  49152  0 49152  0 ESTABLISHED
> localhost.14502  localhost.50882  49152  0 49152  0 ESTABLISHED
> localhost.50883  localhost.14500  49152  0 49152  0 ESTABLISHED
> localhost.14500  localhost.50883  49152  0 49152  0 ESTABLISHED
> 
> At 12:11 pm -0500 2003/11/20, Bruce Momjian wrote:
> >Seum-Lim Gan wrote:
> >>  Hi,
> >>
> >>  In 7.4, I noticed there is this ::1 and : (x8 of them)
> >>  for IPv6.
> >>
> >>  I looked at the documentation and there is nothing that says
> >>  what the ::1 is for.
> >
> >The ::1 is a IPv6 shorthand for 127.0.0.1 (localhost).
> >
> >>  Commenting out that line will prevent access to PostgreSQL
> >>  from psql unless I put trust for that line.
> >>
> >>  This is what I had in 7.3.4:
> >>  hostall all 127.0.0.1 255.255.255.255
> >  > ident pspmap
> >>  local   all all password
> >>  hostall all 0.0.0.00.0.0.0  reject
> >>
> >>  But in 7.4, it does not work anymore. It seems to want ::1 to be somewhere.
> >>  If I change the line with ::1 from trust to ident pspmap, it complains that
> >>  the user cannot be found. But it is in the pspmap. Message fromm psql:
> >
> >Seems you have an OS that makes all connections IPv6, even IPv4 ones.
> >That is why we had to have that line in there.  Seems ::1 controls your
> >local connections on that platform.  Some platforms have dist

Re: [GENERAL] pg_hba.conf change in 7.4

[Seum-Lim Gan]

Hi Bruce,

Thanks for the info.
I captured the netstat output below.
Looks like there is a bunch of IPv4 being used.

Any idea how this can be resolved ?

Thanks.

Gan

UDP: IPv6
   Local Address Remote Address 
State  If 
- - 
-- -
localhost.35847   localhost.35847   Connected

TCP: IPv4
   Local AddressRemote AddressSwind Send-Q Rwind Recv-Q  State
  - -- - -- ---
localhost.32906  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.32906  49152  0 49152  0 ESTABLISHED
localhost.32908  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.32908  49152  0 49152  0 ESTABLISHED
localhost.32910  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.32910  49152  0 49152  0 ESTABLISHED
localhost.32911  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.32911  49152  0 49152  0 ESTABLISHED
localhost.32913  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.32913  49152  0 49152  0 ESTABLISHED
localhost.32915  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.32915  49152  0 49152  0 ESTABLISHED
localhost.32917  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.32917  49152  0 49152  0 ESTABLISHED
localhost.32919  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.32919  49152  0 49152  0 ESTABLISHED
localhost.32920  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.32920  49152  0 49152  0 ESTABLISHED
localhost.32922  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.32922  49152  0 49152  0 ESTABLISHED
localhost.32923  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.32923  49152  0 49152  0 ESTABLISHED
localhost.32924  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.32924  49152  0 49152  0 ESTABLISHED
localhost.32926  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.32926  49152  0 49152  0 ESTABLISHED
localhost.32927  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.32927  49152  0 49152  0 ESTABLISHED
localhost.33086  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.33086  49152  0 49152  0 ESTABLISHED
localhost.33087  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.33087  49152  0 49152  0 ESTABLISHED
localhost.50882  localhost.14502  49152  0 49152  0 ESTABLISHED
localhost.14502  localhost.50882  49152  0 49152  0 ESTABLISHED
localhost.50883  localhost.14500  49152  0 49152  0 ESTABLISHED
localhost.14500  localhost.50883  49152  0 49152  0 ESTABLISHED
At 12:11 pm -0500 2003/11/20, Bruce Momjian wrote:
Seum-Lim Gan wrote:
 Hi,

 In 7.4, I noticed there is this ::1 and : (x8 of them)
 for IPv6.
 I looked at the documentation and there is nothing that says
 what the ::1 is for.
The ::1 is a IPv6 shorthand for 127.0.0.1 (localhost).

 Commenting out that line will prevent access to PostgreSQL
 from psql unless I put trust for that line.
 This is what I had in 7.3.4:
 hostall all 127.0.0.1 255.255.255.255
 > ident pspmap
 local   all all password
 hostall all 0.0.0.00.0.0.0  reject
 But in 7.4, it does not work anymore. It seems to want ::1 to be somewhere.
 If I change the line with ::1 from trust to ident pspmap, it complains that
 the user cannot be found. But it is in the pspmap. Message fromm psql:
Seems you have an OS that makes all connections IPv6, even IPv4 ones.
That is why we had to have that line in there.  Seems ::1 controls your
local connections on that platform.  Some platforms have distinct IPv4
and IPv6 connections, so we have to include both lines in the file.
 Right now, I have it set to trust to work around.
 Any idea what to do about this ?
 hostall all 127.0.0.1 255.255.255.255
 ident pspmap
 local   all all password
 hostall all 0.0.0.00.0.0.0  reject
 # IPv4-style local connections:
 #hostall all 

Re: [GENERAL] pg_hba.conf change in 7.4

[Bruce Momjian]

Seum-Lim Gan wrote:
> Hi,
> 
> In 7.4, I noticed there is this ::1 and : (x8 of them)
> for IPv6.
> 
> I looked at the documentation and there is nothing that says
> what the ::1 is for.

The ::1 is a IPv6 shorthand for 127.0.0.1 (localhost).

> Commenting out that line will prevent access to PostgreSQL
> from psql unless I put trust for that line.
> 
> This is what I had in 7.3.4:
> hostall all 127.0.0.1 255.255.255.255 
> ident pspmap
> local   all all password
> hostall all 0.0.0.00.0.0.0  reject
> 
> But in 7.4, it does not work anymore. It seems to want ::1 to be somewhere.
> If I change the line with ::1 from trust to ident pspmap, it complains that
> the user cannot be found. But it is in the pspmap. Message fromm psql:

Seems you have an OS that makes all connections IPv6, even IPv4 ones. 
That is why we had to have that line in there.  Seems ::1 controls your
local connections on that platform.  Some platforms have distinct IPv4
and IPv6 connections, so we have to include both lines in the file.

> Right now, I have it set to trust to work around.
> Any idea what to do about this ?
> 
> hostall all 127.0.0.1 255.255.255.255 
> ident pspmap
> local   all all password
> hostall all 0.0.0.00.0.0.0  reject
> # IPv4-style local connections:
> #hostall all 127.0.0.1 255.255.255.255   trust
> # IPv6-style local connections:
> hostall all ::1 
> :::::::trust

Yea, that's about it.  My guess is that nothing is coming in via IPv4 on
your machine so 127.0.0.1 does nothing.  Perhaps netstat will show the
IP address family used.

-- 
  Bruce Momjian|  http://candle.pha.pa.us
  [EMAIL PROTECTED]   |  (610) 359-1001
  +  If your life is a hard drive, |  13 Roberts Road
  +  Christ can be your backup.|  Newtown Square, Pennsylvania 19073

---(end of broadcast)---
TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]

[GENERAL] pg_hba.conf change in 7.4

[Seum-Lim Gan]

Hi,

In 7.4, I noticed there is this ::1 and : (x8 of them)
for IPv6.
I looked at the documentation and there is nothing that says
what the ::1 is for.
Commenting out that line will prevent access to PostgreSQL
from psql unless I put trust for that line.
This is what I had in 7.3.4:
hostall all 127.0.0.1 255.255.255.255 
ident pspmap
local   all all password
hostall all 0.0.0.00.0.0.0  reject

But in 7.4, it does not work anymore. It seems to want ::1 to be somewhere.
If I change the line with ::1 from trust to ident pspmap, it complains that
the user cannot be found. But it is in the pspmap. Message fromm psql:
	psql: FATAL:  IDENT authentication failed for user "postgres"

Right now, I have it set to trust to work around.
Any idea what to do about this ?
hostall all 127.0.0.1 255.255.255.255 
ident pspmap
local   all all password
hostall all 0.0.0.00.0.0.0  reject
# IPv4-style local connections:
#hostall all 127.0.0.1 255.255.255.255   trust
# IPv6-style local connections:
hostall all ::1 
:::::::trust

Thanks.

Gan
--
++
| Seum-Lim GAN email : [EMAIL PROTECTED]  |
| Lucent Technologies|
| 2000 N. Naperville Road, 6B-403F  tel : (630)-713-6665 |
| Naperville, IL 60566, USA.fax : (630)-713-7272 |
|   web : http://inuweb.ih.lucent.com/~slgan |
++
---(end of broadcast)---
TIP 2: you can get off all lists at once with the unregister command
   (send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])

Re: [GENERAL] pg_hba.conf

[Nigel J. Andrews]

On Tue, 30 Sep 2003, Tom Lane wrote:

> "Nigel J. Andrews" <[EMAIL PROTECTED]> writes:
> > In 7.3 and less ssl connections fail if a host line matches before the hostssl
> > line. At least I think that's the situation, there is definitely something
> > there that will make a ssl connection get rejected even if there is an
> > appropiate entry in pg_hba.conf
> 
> Really?  Can you show an example?

Well, not at the moment. I'd have to remember the specifics as well. I think it
was something to do with the client being built with ssl but the server not. Or
it might have been both built with ssl and a host line appearing before hostssl
in pg_hba.conf.

Whatever, I believe this was addressed by someone, possibly with the
introduction of a GUC.

I'll have to see if I can scrape the time together to try things out again but
I'm very busy, what with people struggling to make something work on production
when it was working on dev only to eventually say what the problem actually is
so it could be solved in a couple of seconds.


-- 
Nigel J. Andrews


---(end of broadcast)---
TIP 8: explain analyze is your friend

Re: [GENERAL] pg_hba.conf

[Tom Lane]

"Nigel J. Andrews" <[EMAIL PROTECTED]> writes:
> In 7.3 and less ssl connections fail if a host line matches before the hostssl
> line. At least I think that's the situation, there is definitely something
> there that will make a ssl connection get rejected even if there is an
> appropiate entry in pg_hba.conf

Really?  Can you show an example?

regards, tom lane

---(end of broadcast)---
TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]

Re: [GENERAL] pg_hba.conf

[Nigel J. Andrews]

On Tue, 30 Sep 2003, Angel Todorov wrote:

> Hello, sometimes I get a strange error from postgresql when I try to
> connect using ssl to the server:
>  
> LOG:  parse_hba: invalid syntax in pg_hba.conf file at line 46, token
> "hostssl"
> FATAL:  Missing or erroneous pg_hba.conf file, see postmaster log for
> details
>  
> The contents of the pg_hba.conf file are
>  
> hostssl  dnet  att 172.16.13.40 255.255.255.255  trust

In 7.3 and less ssl connections fail if a host line matches before the hostssl
line. At least I think that's the situation, there is definitely something
there that will make a ssl connection get rejected even if there is an
appropiate entry in pg_hba.conf

This works more sensibly in 7.4 I believe.


-- 
Nigel J. Andrews


---(end of broadcast)---
TIP 7: don't forget to increase your free space map settings

Re: [GENERAL] pg_hba.conf

[Peter Eisentraut]

Angel Todorov writes:

> LOG:  parse_hba: invalid syntax in pg_hba.conf file at line 46, token
> "hostssl"

It looks as though your server was not compiled with SSL support.

-- 
Peter Eisentraut   [EMAIL PROTECTED]


---(end of broadcast)---
TIP 8: explain analyze is your friend

[GENERAL] pg_hba.conf

[Angel Todorov]

Hello, sometimes I get a strange
error from postgresql when I try to connect using ssl to the server:

 

LOG:  parse_hba:
invalid syntax in pg_hba.conf file at line 46, token
"hostssl"

FATAL:  Missing or erroneous pg_hba.conf
file, see postmaster log for details

 

The contents of the pg_hba.conf file are

 

hostssl  dnet  att
172.16.13.40 255.255.255.255  trust

 

thanks

 

 

Angel T. Todorov

PGP public key ID: 1024D/35454B4C

 

Re: [GENERAL] pg_hba.conf with the "password" auth failed to work sometimes...

[Tom Lane]

matthew wong <[EMAIL PROTECTED]> writes:
>   i found sometimes when i setup the pg_hba.conf
>   to restrict to only allow a client from certain
>   ip to access a database with password auth, but
>   i found even i give an invalid password, the
>   client still can connect to this database.

Is there another line in pg_hba.conf that might allow this client
to connect?  The postmaster will use the first entry that matches
the connection source address and target database...

regards, tom lane

---(end of broadcast)---
TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]

Re: [GENERAL] pg_hba.conf and crypt/password

[Jim Mercer]

On Sat, Mar 31, 2001 at 10:31:36AM +0200, Peter Eisentraut wrote:
> > what i want is for the pg_shadow file to contain encrypted passwords like
> > /etc/passwd, and for the server to encrypt the plain text password handed
> > to it and compare with the crypto-gunge in pg_shadow.
> 
> This is not possible.

i had a look at the code, and figured i wanted similar behaviour for:

host all 127.0.0.1 255.255.255.255 password /dir/passwd.file

but, rather than have a file, i wanted to use pg_shadow with encrypted
passwords.

so the following patch allows for:

host all 127.0.0.1 255.255.255.255 password pg_shadow

where "pg_shadow" is a special key (like "ident sameuser") to set up this
behaviour.

the patch is done in such a way that it will not impact existing installations

-- 
[ Jim Mercer  [EMAIL PROTECTED] ]
[  Reptilian Research -- Longer Life through Colder Blood  ]
[ aka[EMAIL PROTECTED]  +1 416 410-5633 ]


*** auth.c.orig Fri Mar 30 19:37:08 2001
--- auth.c  Fri Mar 30 19:28:20 2001
***
*** 695,701 
  static int
  checkPassword(Port *port, char *user, char *password)
  {
!   if (port->auth_method == uaPassword && port->auth_arg[0] != '\0')
return verify_password(port->auth_arg, user, password);
  
return crypt_verify(port, user, password);
--- 695,702 
  static int
  checkPassword(Port *port, char *user, char *password)
  {
!   if (port->auth_method == uaPassword && port->auth_arg[0] != '\0'
!   && strcmp(port->auth_arg, "pg_shadow") != 0)
return verify_password(port->auth_arg, user, password);
  
return crypt_verify(port, user, password);
*** crypt.c.origFri Mar 30 19:38:26 2001
--- crypt.c Fri Mar 30 19:39:07 2001
***
*** 280,287 
 * authentication method being used for this connection.
 */
  
!   crypt_pwd =
!   (port->auth_method == uaCrypt ? crypt(passwd, port->salt) : passwd);
  
if (!strcmp(pgpass, crypt_pwd))
{
--- 280,294 
 * authentication method being used for this connection.
 */
  
!   if (port->auth_method == uaCrypt)
!   crypt_pwd = crypt(passwd, port->salt);
!   else
!   {
!   /* if port->auth_arg, encrypt password from client before compare */
!   if (port->auth_arg[0] != 0)
!   pgpass = crypt(pgpass, passwd);
!   crypt_pwd = passwd;
!   }
  
if (!strcmp(pgpass, crypt_pwd))
{

---(end of broadcast)---
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])

Re: [GENERAL] pg_hba.conf and crypt/password

[Peter Eisentraut]

Jim Mercer writes:

> i seem to recall setting this up before, but now i can't seem to
> get passwords working the way i want.
>
> i'm running 7.0.3 on FreeBSD 4.3-RC.
>
> i've set the entry in pg_hba.conf to both "crypt" and "password".
>
> i've used "ALTER USER pgsql WITH PASSWORD 'test';
>
> regardless of "crypt" or "password", psql allows entry using "test".

This is correct.

> what i want is for the pg_shadow file to contain encrypted passwords like
> /etc/passwd, and for the server to encrypt the plain text password handed
> to it and compare with the crypto-gunge in pg_shadow.

This is not possible.

> is this not what "crypt" is supposed to do?

Crypt encrypts the password on the wire, not in the storage.

-- 
Peter Eisentraut  [EMAIL PROTECTED]   http://yi.org/peter-e/


---(end of broadcast)---
TIP 4: Don't 'kill -9' the postmaster

Re: [GENERAL] pg_hba.conf and crypt/password

[Oliver Elphick]

Jim Mercer wrote:
  >
  >i seem to recall setting this up before, but now i can't seem to
  >get passwords working the way i want.
  >
  >i'm running 7.0.3 on FreeBSD 4.3-RC.
  >
  >i've set the entry in pg_hba.conf to both "crypt" and "password".
  >
  >i've used "ALTER USER pgsql WITH PASSWORD 'test';
  >
  >regardless of "crypt" or "password", psql allows entry using "test".
  >
  >what i want is for the pg_shadow file to contain encrypted passwords like
  >/etc/passwd, and for the server to encrypt the plain text password handed
  >to it and compare with the crypto-gunge in pg_shadow.
  >
  >is this not what "crypt" is supposed to do?

'crypt' encrypts the password during transmission; apart from that there
is no difference from 'password'.

-- 
Oliver Elphick[EMAIL PROTECTED]
Isle of Wight  http://www.lfix.co.uk/oliver
PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47  6B 7E 39 CC 56 E4 C1 47
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839  932A 614D 4C34 3E1D 0C1C
 
 "If we confess our sins, he is faithful and just to  
  forgive us our sins, and to cleanse us from all  
  unrighteousness."   I John 1:9  



---(end of broadcast)---
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])

[GENERAL] pg_hba.conf "sameuser"

[Tim Frank]

Everyone,

I'm still trying to get a handle on all of the possible authentication 
methods and what combinations will work best for what I need, and what 
combinations will work in general.  I am having difficulty getting the 
"sameuser" parameter to do anything under DBNAME.


# Format:
#
#   host  DBNAME  IP_ADDRESS  ADDRESS_MASK  AUTHTYPE  [AUTH_ARGUMENT]
#
# DBNAME is the name of a PostgreSQL database, or "all" to indicate all
# databases, or "sameuser" to restrict a user's access to a database with
# the same name as the user.


Now, that snippet of instructions doesn't indicate that there are any 
restrictions for which AUTHTYPE "sameuser" can be used with.  For my 
testing I set this line for a host (with the correct IP in place of xxx 
of course),

hostsameuser xxx.xxx.xxx.xxx   255.255.255.255 password

which I assumed from the description would restrict access to the 
database named the same as the user being authenticated.  This does not 
seem to work as expected,

$ psql -h mydbhost -p 5433 myuser
Password:
Welcome to psql, the PostgreSQL interactive terminal.

This connects me to the database called "myuser" correctly as the user 
"myuser".

$ psql -h mydbhost -p 5433 -U otheruser myuser
Password:
Welcome to psql, the PostgreSQL interactive terminal.

This, however, also connects me to the database called "myuser" but as 
the user "otheruser" which doesn't seem to make sense.

The only actual references I have seen in examples for "sameuser" use it 
in conjunction with an AUTHTYPE of ident.  Such as,

hostsameuser (IP)   (MASK) ident(which doesn't seem to work as 
ident always fails?)

or

hostmyuser (IP)   (MASK) ident  sameuser (which doesn't seem to 
restrict a user to their own DB either)


What I am trying to clear up is if "sameuser" is actually a valid DBNAME 
or if it is only a valid an AUTH_ARGUMENT.  Also, is "sameuser" only ever 
valid when used in conjunction with an AUTHTYPE of ident.  All of my 
testing was done on a snapshot of 7.1 taken sometime in early March.

Maybe I am not properly understanding the meaning of "to restrict a 
user's access to a database with the same name as the user." as it is 
stated in the docs, but I just can't seem to get that feature to work for 
me.  This is just bugging me for the sake of bugging me.

Thanks to anyone who can help me clear my head, it has been one of those 
weeks.  If you could email me directly as well as posting to the list I 
would appreciate it as well.

Tim Frank

---(end of broadcast)---
TIP 1: subscribe and unsubscribe commands go to [EMAIL PROTECTED]

Re: [GENERAL] pg_hba.conf edit

[Brett W. McCoy]

On Wed, 17 Jan 2001, Uro Gruber wrote:

> I want to know how to edit this file. Because is only for reading. Is
> there any program to edit this. For now i chmod it to 600
> end edit with my editor.

That's the way you are supposed to do it!  Just make sure you make it
read-only after you are done.

-- Brett
 http://www.chapelperilous.net/~bmccoy/
---
While most peoples' opinions change, the conviction of their
correctness never does.

[GENERAL] pg_hba.conf edit

[Uro Gruber]

Hi!

I want to know how to edit this file. Because is only for reading. Is
there any program to edit this. For now i chmod it to 600
end edit with my editor.

Any comments.


-- 
Uroš

Re: [GENERAL] pg_hba.conf

[Tom Lane]

"Tamsin" <[EMAIL PROTECTED]> writes:
> I'm trying to sort out security on my db, configuring pg_hba.conf etc.  I
> just wanted to check that this in't possible - I want my postgres linux user
> to be able to connect to the database without a password, but I don't want
> other users logged on to the linux box to be able to connect as postgres
> i.e. by going psql dbname postgres.

I should think 'ident' authentication would get the job done, assuming
that your box is running identd.  Of course identd is only as
trustworthy as the machine's admin, but if you don't trust root on your
server then password security is academic anyway.  I wouldn't recommend
allowing ident auth for logins from untrusted machines, natch.

regards, tom lane