PostgreSQL local database access for user without password - postgresql

I just create a user and new database on my local machine.
sudo su - postgres -c "createuser gauthier"
sudo su - postgres -c "createdb local-ag-db"
Then:
$ sudo -u postgres psql
sudo -u postgres psql
psql (11.9 (Debian 11.9-0+deb10u1))
Type "help" for help.
postgres=# grant all privileges on database "local-ag-db" to gauthier;
GRANT
I can access the database locally through a socket:
$ psql local-ag-db gauthier
psql (11.9 (Debian 11.9-0+deb10u1))
Type "help" for help.
local-ag-db=> \conninfo
You are connected to database "local-ag-db" as user "gauthier" via socket in "/var/run/postgresql" at port "5432".
But I cannot access it through localhost:
$ psql -d local-ag-db -h localhost -U gauthier
Password for user gauthier:
psql: fe_sendauth: no password supplied
My guess is that while createuser accepted to create a user without a password, logging in through the host requires identification that this user cannot provide.
This is the default content of /etc/postgresql/11/main/pg_hba.conf:
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all peer
host replication all 127.0.0.1/32 md5
host replication all ::1/128 md5
I have tried adding this at the end of that file, after reading the included documentation:
host local-ag-db gauthier samehost peer
but that did not work (after a restart sudo /etc/init.d/postgresql restart), it even broke my Unix socket access:
$ psql local-ag-db gauthier
psql: could not connect to server: No such file or directory
Is the server running locally and accepting
connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?
I also tried this as last row of my config, with the same result:
host local-ag-db gauthier 127.0.0.1/32 peer
My questions:
how do I allow my local user to access the database through localhost?
how do I edit my conf file so that I don't break everything? (Unix socket method stops working when I add a rule)
On Debian.

You will need to add a line like:
host all all localhost trust
As you have no explicit rule currently it is dropping through to another catch all rule and prompting for authentication. Adrian's comment above is saying the same and likewise I don't suggest using trust outside of testing your connectivity - you really should assign a password and enforce it.
Adding entries to the pg_hba.conf needs care as the PostgreSQL will find the first match:
The first record with a matching connection type, client address, requested database, and user name is used to perform authentication. There is no “fall-through” or “backup”: if one record is chosen and the authentication fails, subsequent records are not considered. If no record matches, access is denied.
From https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
Regarding
Is the server running locally and accepting
connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?
Looks like the restart may not have worked. Looks like no response rather than authentication failure.

Your server is not running. It never came back up when you tried to restart it, because you broke your hba. If you look in the log file, you should something like:
LOG: peer authentication is only supported on local sockets
FATAL: could not load pg_hba.conf
LOG: database system is shut down
Unbreak your pg_hba.conf and start the server again. Also, read your log files when you don't know what's going on. That is what they are there for.
You will need to choose a different method for authentication over localhost. ident is equivalent to peer, but it requires you to run the identd daemon on the server, and is not very secure for any addresses other than loopback ones.

Related

psql: error: connection to server on socket "/var/run/postgresql/.s.PGSQL.5432" failed: FATAL: Peer authentication failed for user "postgres" (Ubuntu)

When I try to open psql with this command:
psql -U postgres
I get this error:
psql: error: connection to server on socket "/var/run/postgresql/.s.PGSQL.5432" failed: FATAL: Peer authentication failed for user "postgres"
But it connects successfully when I use:
sudo -u postgres psql
Can someone please explain what is happening and how to diagnose/fix this problem? My pg_hba.conf contains the following:
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 scram-sha-256
# IPv6 local connections:
host all all ::1/128 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all peer
You can edit your .conf files with privileges using an editor, for my case it is nano.
$sudo nano /etc/postgresql/14/main/pg_ident.conf
Map your user by adding this line
# MAPNAME SYSTEM-USERNAME PG-USERNAME
user1 <computer-username> postgres
Replace the <computer-username> with the System-Username, which can be found using the whoami command. Type in your terminal:
$whoami
Then go ahead to the pg_hba.conf
$sudo nano /etc/postgresql/14/main/pg_hba.conf
Add your postgre user, with method=peer, as shown below:
# TYPE DATABASE USER ADDRESS METHOD
local all postgres peer
This worked for me.
Peer authentication means that the connection is only allowed if the name of the database user is the same as the name of the operating system user.
So if you run psql -U postgres as operating system user root or jimmy, it won't work.
You can specify a mapping between operating system users and database users in pg_ident.conf.
step-1
vi /etc/postgresql/14/main# vi postgresql.conf
listen_addresses = '*'
step-2
vi /etc/postgresql/14/main# vi pg_hba.conf
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all md5
# IPv4 local connections:
host all all 0.0.0.0/0 scram-sha-256
# IPv6 local connections:
host all all ::1/128 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all peer
step-3
sudo /etc/init.d/postgresql restart
step-4
After restart your changes
create your required database and database username
I don't think in production you wana bother yourself changing any files.
So, What you can do is temporarily make the username same to the username of your postgres which is usually postgres by passing command sudo -i -u postgres and then psql, now you successfully connected to postgres.

Can't override forgettin password for Postgresql on Mac

I am having an issue where I forgot the password to the postgres shell when trying to login as postgres. I looked online and found several different things to do, but none of it worked. I have messed with the pg_hba.conf file but even with that change, it is not working. Here is what my pg_hba.conf file looks like.
# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records. In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.
# CAUTION: Configuring the system for local "trust" authentication
# allows any local user to connect as any PostgreSQL user, including
# the database superuser. If you do not trust all your local users,
# use another authentication method.
# TYPE DATABASE USER ADDRESS METHOD
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
host replication all 127.0.0.1/32 trust
host replication all ::1/128 trust
and then i ran the follwoing command:
brew services restart postgres
and I keep getting the following error:
omars-MacBook-Pro:postgres omarjandali$ psql -U postgres Password for user postgres: psql: error: could not connect to server: FATAL: password authentication failed for user "postgres"
Anyone know how to fix this issue.
It looks like your command psql -U postgres is attempting to make a socket connection, however you've only got trust authentication set up for TCP/IP connections on localhost.
Try psql -h localhost -U postgres.
Alternatively, add a line to pg_hba.conf setting up trust authentication for socket connections:
host all all trust
and restart PostgreSQL (though you don't actually need to restart it, pg_ctl -D /path/to/data-directory reload should work if you know the actual data directory path).

WSL Postgres Connections

I'm struggling to get Rails up and running through Windows Bash - for some reason, PostgreSQL is requiring passwords for all TCP/IP connections. It does not prompt for a password when connecting through a unix socket. Ideally my environment would never require a password.
All the advice I can find on this issue points to modifying the pg_hba.conf file. I've edited mine accordingly - there's only one (v9.5). I've reloaded the config via select pg_reload_conf(); and restarted the service to no avail.
# Database administrative login by Unix domain socket
local all postgres trust
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
I've tried to remove the password from the default "postgres" account, but it still requires the password "root" when I try to connect via $ psql -h localhost -U postgres. When I supply no password, I get psql: fe_sendauth: no password supplied and the prompt terminates.
I've created a new role, root, with no password. This has the same behavior, except the password "root" doesn't work - I'm not sure what password it expects, but it does expect one.
Little lost on what to do next. Everything I can find online points to modifying the pg_hba.conf file to look similar to what I have. I've tried uninstalling/reinstalling postgresql packages, but ran into the same problem. Any ideas?

valentina db doesn't allow me to use ssh into a postgres even though i can do it normally

I have a AWS server which I can access using SSH with a .pem key.
Using valentina, i tried to access the postgres this way
I keep getting a failed Ident message.
I used that same .pem file and ssh into the server.
Used the same postgres user and password to access using psql client.
It works.
What do I need to do to make the Valentina Studio work as well?
UPDATE:
I have changed my pg_hba.conf to the following:
host all all * ident
# "local" is for Unix domain socket connections only
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 ident
# IPv6 local connections:
host all all ::1/128 ident
I can run psql -U postgres on the postgres server.
I cannot run psql -h localhost -U postgres on the the postgres server.
UPDATE 2:
# "local" is for Unix domain socket connections only
local all postgres peer
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
This solves the issue
I keep getting a failed Ident message.
This suggests that you can in fact ssh in fine.
At a guess, your manual tests are along the lines of:
psql mydb
which will generally use a unix socket, which appears as local entries in pg_hba.conf.
By contrast your application will be connecting over TCP/IP, probably to a socket forwarded over ssh to localhost. This authenticates with host entries in pg_hba.conf.
So I think you're testing a different thing when logging in directly.
Try manually:
psql -h localhost mydb
i.e. force a TCP/IP connection to be used. You'll get the same error, and it's because of your setup in pg_hba.conf choosing ident as the auth method for host connections from localhost, and presumably there's no identd running or other mechanism to allow proper ident. You probably want to use md5 auth.

psql: FATAL: Ident authentication failed for user "postgres"

I have installed PostgreSQL and pgAdminIII on my Ubuntu Karmic box.
I am able to use pgAdminIII successfully (i.e. connect/log on), however when I try to login to the server using the same username/pwd on the command line (using psql), I get the error:
psql: FATAL: Ident authentication failed for user "postgres"
Does anyone now how to resolve this issue?
The following steps work for a fresh install of postgres 9.1 on Ubuntu 12.04. (Worked for postgres 9.3.9 on Ubuntu 14.04 too.)
By default, postgres creates a user named 'postgres'. We log in as her, and give her a password.
$ sudo -u postgres psql
\password
Enter password: ...
...
Logout of psql by typing \q or ctrl+d. Then we connect as 'postgres'. The -h localhost part is important: it tells the psql client that we wish to connect using a TCP connection (which is configured to use password authentication), and not by a PEER connection (which does not care about the password).
$ psql -U postgres -h localhost
Did you set the proper settings in pg_hba.conf?
See https://ubuntu.com/server/docs/databases-postgresql how to do it.
Edit the file /etc/postgresql/8.4/main/pg_hba.conf and replace ident or peer by either md5 or trust, depending on whether you want it to ask for a password on your own computer or not.
Then reload the configuration file with:
/etc/init.d/postgresql reload
You're getting this error because you're failing client authentication. Based on the error message, you probably have the default postgres configuration, which sets client authentication method to "IDENT" for all PostgreSQL connections.
You should definitely read section 19.1 Client Authentication in the PostgreSQL manual to better understand the authentication settings available (for each record in pg_hba.conf), but here is the relevant snippet to help with the problem you're having (from the version 9.5 manual):
trust
Allow the connection unconditionally. This method allows anyone that
can connect to the PostgreSQL database server to login as any
PostgreSQL user they wish, without the need for a password or any
other authentication. See Section 19.3.1 for details.
reject
Reject the connection unconditionally. This is useful for "filtering
out" certain hosts from a group, for example a reject line could block
a specific host from connecting, while a later line allows the
remaining hosts in a specific network to connect.
md5
Require the client to supply a double-MD5-hashed password for
authentication. See Section 19.3.2 for details.
password
Require the client to supply an unencrypted password for
authentication. Since the password is sent in clear text over the
network, this should not be used on untrusted networks. See Section
19.3.2 for details.
gss
Use GSSAPI to authenticate the user. This is only available for TCP/IP
connections. See Section 19.3.3 for details.
sspi
Use SSPI to authenticate the user. This is only available on Windows.
See Section 19.3.4 for details.
ident
Obtain the operating system user name of the client by contacting the
ident server on the client and check if it matches the requested
database user name. Ident authentication can only be used on TCP/IP
connections. When specified for local connections, peer authentication
will be used instead. See Section 19.3.5 for details.
peer
Obtain the client's operating system user name from the operating
system and check if it matches the requested database user name. This
is only available for local connections. See Section 19.3.6 for
details.
ldap
Authenticate using an LDAP server. See Section 19.3.7 for details.
radius
Authenticate using a RADIUS server. See Section 19.3.8 for details.
cert
Authenticate using SSL client certificates. See Section 19.3.9 for
details.
pam
Authenticate using the Pluggable Authentication Modules (PAM) service
provided by the operating system. See Section 19.3.10 for details.
So ... to solve the problem you're experiencing, you could do one of the following:
Change the authentication method(s) defined in your pg_hba.conf
file to trust, md5, or password (depending on your security
and simplicity needs) for the local connection records you have
defined in there.
Update pg_ident.conf to map your operating system users to
PostgreSQL users and grant them the corresponding access privileges,
depending on your needs.
Leave the IDENT settings alone and create users in your database for
each operating system user that you want to grant access to. If a
user is already authenticated by the OS and logged in, PostgreSQL
won't require further authentication and will grant access to that
user based on whatever privileges (roles) are assigned to it in the
database. This is the default configuration.
Note: The location of pg_hba.conf and pg_ident.conf is OS dependent.
Simply adding the -h localhost bit was all mine required to work
In case none of the above works for you:
I've done quite a few Postgres installations, but was flummoxed today on a RedHat 6.5 system (installing Postgres 9.3). My typical hba.conf configuration that Aron shows above didn't work. It turned out that my system was using IPV6, and ignoring the IPV4 configuration. Adding the line:
host all all ::1/128 password
allowed me to login successfully.
For fedora26 and postgres9.6
First, log as user root then enter to psql by the following commands
$ su postgres
then
$ psql
in psql find location of hba_file ==> means pg_hba.conf
postgres=# show hba_file ;
hba_file
--------------------------------------
/etc/postgresql/9.6/main/pg_hba.conf
(1 row)
in file pg_hba.conf change user access to this
host all all 127.0.0.1/32 md5
In my case, solution here: (for people who concerned)
login to postgres:
sudo -i -u postgres
psql
ALTER USER postgres WITH PASSWORD 'postgres'; # type your password here
regards
You can set the environment variable PGHOST=localhost:
$ psql -U db_user db_name
psql: FATAL: Peer authentication failed for user "db_user"
$ export PGHOST=localhost
$ psql -U db_user db_name
Password for user mfonline:
Hmmm ...
If you can connect with the username and password in pgAdminIII but you can't connect with psql then those two programs are probably connecting to the database differently.
[If you're connecting to different databases, first try connecting to the same database. See below.]
From PostgreSQL: Documentation: 9.3: psql:
If you omit the host name, psql will connect via a Unix-domain socket to a server on the local host, or via TCP/IP to localhost on machines that don't have Unix-domain sockets.
If you're not running something like psql ... -h host_name ..., and you're running Ubuntu, psql should be connecting via a Unix-domain socket, so PostgreSQL probably isn't configured to allow one of the password authentication methods for the postgres user.
You can test this by running:
sudo -u postgres psql
If the above works, your server is probably configured to use peer authentication for local connections by the postgres user, i.e. asking the OS for your user name to confirm that you're postgres.
So It's Probably Your pg_hba.conf File
The full path of the file will be something like /etc/postgresql/9.3/main/pg_hba.conf. You can view it by, e.g. sudo cat /etc/postgresql/9.3/main/pg_hba.conf | more.
If you're omitting the host name in your psql command, you should be able to connect if you add the following entry to your pg_hba.conf file:
# Connection type Database User IP addresses Method
local all postgres md5
[Commented lines in the pg_hba.conf file start with #.]
If you are including the host name in your psql command, add this entry instead:
# Connection type Database User IP addresses Method
host all postgres 127.0.0.1/32 md5
You need to put the entry before any other entries are matched for your connection via psql. If in doubt about where to put it, just put it before the first un-commented line.
More about pg_hba.conf
From PostgreSQL: Documentation: 9.3: The pg_hba.conf File [bold emphasis mine]:
The first record with a matching connection type, client address, requested database, and user name is used to perform authentication. There is no "fall-through" or "backup": if one record is chosen and the authentication fails, subsequent records are not considered. If no record matches, access is denied.
Note that records are not matched on authentication method. So, if your pg_hba.conf file contains the following entry:
# Connection type Database User IP addresses Method
local all postgres peer
Then you won't be able to connect via:
psql -u postgres
Unless one of these entries is in your pg_hba.conf file above the former entry:
# Connection type Database User IP addresses Method
local all postgres md5
local all postgres password # Unencrypted!
local all all md5
local all all password # Unencrypted!
Out of all the answers above nothing worked for me. I had to manually change the users password in the database and it suddenly worked.
psql -U postgres -d postgres -c "alter user produser with password 'produser';"
I used the following settings:
pg_hba.conf
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 password
# IPv6 local connections:
host all all ::1/128 password
Connection is successful finally for the following command:
psql -U produser -d dbname -h localhost -W
I found that I had to install an identity server, that listens on port 113.
sudo apt-get install pidentd
sudo service postgresql restart
And then ident worked.
The problem is still your pg_hba.conf file. This line: You can found this file in /etc/postgres/varion/main
local all postgres peer
Should be
local all postgres md5
These are brief descriptions of both options according to the official PostgreSQL docs on authentication methods.
Peer authentication
The peer authentication method works by obtaining the client's operating system user name from the kernel and using it as the allowed database user name (with optional user name mapping). This method is only supported on local connections.
Password authentication
The password-based authentication methods are md5 and password. These methods operate similarly except for the way that the password is sent across the connection, namely MD5-hashed and clear-text respectively.
If you are at all concerned about password "sniffing" attacks then md5 is preferred. Plain password should always be avoided if possible. However, md5 cannot be used with the db_user_namespace feature. If the connection is protected by SSL encryption then password can be used safely (though SSL certificate authentication might be a better choice if one is depending on using SSL).
After altering this file, don't forget to restart your PostgreSQL server. If you're on Linux, that would be sudo service postgresql restart.
my solution on PostgreSQL 9.3 on Mac OSX in bash shell was to use sudo to go into the data folder, and then append the necessary lines to the pg_hba.conf file to allow for all users to be trusted and be able to log in. This is what I did:
# in bash_profile edit PGDATA environmental variable
open ~/.bash_profile
# append this line to bash_profile
export PGDATA="/Library/PostgreSQL/9.3/data"
# reload bash_profile
source ~/.bash_profile
# open pg_hba.conf in vim
sudo vi /Library/PostgreSQL/9.3/data/pg_hba.conf
# append these two lines to the end of the pg_hba.conf file
local all all trust
host all all 127.0.0.1/32 trust
# can now login as user in bash
psql -d <db_name> -U <user_name> -W
I've spent more time solving this error that I care to admit.
The order of authentication configuration in pg_hba.conf is relevant in your case I think. The default configuration file includes several lines in a vanilla install. These defaults can match the conditions of your authentication attempts resulting in a failure to authenticate. It fails regardless of additional configuration added at the end of the .conf file.
To check which line of configuration is use make sure to look at the default log file for messages. You might see something like this
LOG: could not connect to Ident server at address "127.0.0.1", port 113: Connection refused
FATAL: Ident authentication failed for user "acme"
DETAIL: Connection matched pg_hba.conf line 82: "host all all 127.0.0.1/32 ident"
It turns out this default line is causing the rejection.
host all all 127.0.0.1/32 ident
try commenting it out.
If you've done all this and it still doesn't work, check the expiry for that user:
Postgres password authentication fails
I had similar problem and I fixed it in pg_hba.conf when removing all ident methods even for IP6 address (in spite I have only IP4 on machine).
host all all 127.0.0.1/32 password
host all all ::1/128 password
#for pgAdmin running at local network
host all all 192.168.0.0/24 md5
One hack around this is to edit pg_hba.conf
sudo vi /etc/postgresql/9.3/main/pg_hba.conf
To temporarily
# Database administrative login by Unix domain socket
local all postgres trust
At this point you are done. For security, then go and
sudo -u postgres psql template1
ALTER USER postgres with encrypted password 'your_password';
then go back and set pg_hba.conf back to
# Database administrative login by Unix domain socket
local all postgres md5
If you are using it on CentOS,you may need to reload postgres after making the above solutions:
systemctl restart postgresql-9.3.service
It related to configuration issue of PostgreSQL installation:
Configure # TYPE DATABASE USER ADDRESS METHOD section in below mentioned conf file
Find and Edit /var/lib/pgsql/10/data/pg_hba.conf or based on your file location to update method(md5). Update entry in the file if not existing for your config by comparing as below:
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
host all all 0.0.0.0/0 md5
# IPv6 local connections:
host all all ::1/128 md5
Configure CONNECTIONS AND AUTHENTICATION section in below mentioned conf file
Find and Edit /var/lib/pgsql/10/data/postgresql.conf or based on your file location
Update Listen Address and Port
listen_addresses = '*' // # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
port = 5432 // Set port as 5432
Restart your PostgreSQL:
sudo systemctl restart postgresql-10 # Update service name based on your installation
For Windows if you dont want to edit pb_gba.conf ie leave the method to MD5(default), create a new user, by running this query in Query tool in PGadmin
CREATE USER admin WITH PASSWORD 'secret'
then in cmd
psql "dbname=Main_db host=127.0.0.1 user=admin password=secret port=5432
where dbname is your db in postgresql
I had the same issuse after following this: PostgreSQL setup for Rails development in Ubuntu 12.04
I tried the other answers but all I had to do was in: "config/database.yml"
development:
adapter: postgresql
encoding: unicode
database: (appname)_development
pool: 5
username: (username you granted appname database priviledges to)
password:
I had to reinstall pdAdmin to resolve this issue
brew cask reinstall pgadmin4
I provisioned the username and password via terraform in GCP SQL and the problem was the password was not set properly via terraform so though not a proper fix but just to figure out the exact cause.
I changed the password for the user from GCP console and that worked.
This worked for me :
http://tecadmin.net/fatal-ident-authentication-failed-for-user-postgres/#
local all postgres trust
local all myapp_usr trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
#host all all ::1/128 trust