Thread: hba conf ident sameuser not working
I am using auth method of 'ident sameuser' on a postgresql 8 server. ALL connections to postgres must come from localhost or local unix socket. now, when I connection to postgres from remote machines I ssh into the pg server, but I tunnel postgres traffic. The ident sameuser prevents tunneled connections from working. is there any workaround? -- David Bear phone: 480-965-8257 fax: 480-965-9189 College of Public Programs/ASU Wilson Hall 232 Tempe, AZ 85287-0803 "Beware the IP portfolio, everyone will be suspect of trespassing"
David Bear wrote: > now, when I connection to postgres from remote machines I ssh into > the pg server, but I tunnel postgres traffic. The ident sameuser > prevents tunneled connections from working. That is not true. Please give more detail so we can figure out what is really wrong. -- Peter Eisentraut http://developer.postgresql.org/~petere/
On Wed, Feb 15, 2006 at 11:27:36AM +0100, Peter Eisentraut wrote:
> David Bear wrote:
> > now, when I connection to postgres from remote machines I ssh into
> > the pg server, but I tunnel postgres traffic. The ident sameuser
> > prevents tunneled connections from working.
>
> That is not true. Please give more detail so we can figure out what is
> really wrong.
ok. 2 machine, mine is called teancum. The server running postgresql
is called dbsrv1.
starting with:
==================
iddwb@teancum:~> ssh -L 6666:localhost:5432 iddwb@dbsrv1
Password:
Last login: Tue Feb 14 20:21:08 2006 from teancum
Have a lot of fun...
iddwb@dbsrv1:~> psql
Welcome to psql 8.0.3, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
iddwb=> \q
iddwb@dbsrv1:~> psql -U tlhowell
psql: FATAL: Ident authentication failed for user "tlhowell"
=====================
This is what I expect.
users on dbsrv1 must be who they are.
now, back on teancum that has the tunnel on port 6666, I do this:
===================
iddwb@teancum:~> psql -p 6666 -h localhost -U tlhowell
psql: FATAL: Ident authentication failed for user "tlhowell"
iddwb@teancum:~> psql -p 6666 -h localhost -U iddwb
psql: FATAL: Ident authentication failed for user "iddwb"
===================
That is with the following pg_hba.conf
==================
# TYPE DATABASE USER CIDR-ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all ident sameuser
# IPv4 local connections:
host all all 127.0.0.1/32 ident sameuser
# IPv6 local connections:
host all all ::1/128 ident sameuser
===================
Now, if I change the connection for 'host' to use the trust method, I
can connect as any user from psql AFTER I have already authenticated
and setup the ssh tunnel.
>
> --
> Peter Eisentraut
> http://developer.postgresql.org/~petere/
--
David Bear
phone: 480-965-8257
fax: 480-965-9189
College of Public Programs/ASU
Wilson Hall 232
Tempe, AZ 85287-0803
"Beware the IP portfolio, everyone will be suspect of trespassing"
David Bear <David.Bear@asu.edu> writes:
> now, back on teancum that has the tunnel on port 6666, I do this:
> iddwb@teancum:~> psql -p 6666 -h localhost -U tlhowell
> psql: FATAL: Ident authentication failed for user "tlhowell"
> iddwb@teancum:~> psql -p 6666 -h localhost -U iddwb
> psql: FATAL: Ident authentication failed for user "iddwb"
I'm afraid you're kind of stuck on getting that to work. In the cases
that work, psql is executing on the server side of the ssh connection.
Here, you want it to work on the client side. The problem is that the
Postgres server is going to see that TCP connection as originating from
a server-side sshd daemon process, and so ident is quite properly going
to fail unless the requested database username matches whatever sshd is
running as.
You could possibly get it to work if you could get sshd to run the
daemon subprocess as yourself instead of root ... dunno enough about
ssh to know if that's possible.
regards, tom lane
On Wed, Feb 15, 2006 at 09:00:41PM -0500, Tom Lane wrote: > David Bear <David.Bear@asu.edu> writes: > > now, back on teancum that has the tunnel on port 6666, I do this: > > > iddwb@teancum:~> psql -p 6666 -h localhost -U tlhowell > > psql: FATAL: Ident authentication failed for user "tlhowell" > > iddwb@teancum:~> psql -p 6666 -h localhost -U iddwb > > psql: FATAL: Ident authentication failed for user "iddwb" > > I'm afraid you're kind of stuck on getting that to work. In the cases > that work, psql is executing on the server side of the ssh connection. > Here, you want it to work on the client side. The problem is that the > Postgres server is going to see that TCP connection as originating from > a server-side sshd daemon process, and so ident is quite properly going > to fail unless the requested database username matches whatever sshd is > running as. > > You could possibly get it to work if you could get sshd to run the > daemon subprocess as yourself instead of root ... dunno enough about > ssh to know if that's possible. thats the path I was thinking along... Thanks. > > regards, tom lane > > ---------------------------(end of broadcast)--------------------------- > TIP 6: explain analyze is your friend -- David Bear phone: 480-965-8257 fax: 480-965-9189 College of Public Programs/ASU Wilson Hall 232 Tempe, AZ 85287-0803 "Beware the IP portfolio, everyone will be suspect of trespassing"