I recently installed https://dbeaver.io/ on a Windows PC and wish to access a database on a remote Linux server from it.
My Linux username is my_username and I also have a system user psql_user. I also have two existing PostgreSQL databases with the same name as their respective user. Typically, only the psql_user is used and is access by a php-fpm pool listening to a Unix socket and running as user psql_user, and as such have configured /var/lib/pgsql/12/data/pg_hba.conf as:
# TYPE DATABASE USER ADDRESS METHOD
local all all peer
host all all 127.0.0.1/32 ident
host all all ::1/128 ident
local replication all peer
host replication all 127.0.0.1/32 ident
host replication all ::1/128 ident
With the above configuration, after ssh'ing onto the server, I can access the my_username database by executing psql and can also access the psql_user database by executing sudo -u psql_user psql and do not need to use a password for either.
But now, how to connect from the remote Windows PC?
To attempt to do so, I first created ssh keys without passphrases on the Windows PC for both my_username and psql_user and added the public key to each Linux user's authorized_keys (had to manually create /home/psql_user/ because it is a systems user). I can can successfully PuTTY to the server as either using the ssh keys.
Next, on the DBeaver connection settings SSH tab, I checked "Use SSH Tunnel", entered the username and private key location and the Test tunnel configuration successfully shows connected with the client version as SSH-2.0-JSCH-01.54 and server version as SSH-2.0-OpenSSH_7.4. I also made no changes to the Advanced portion of this tab such as local and remote hosts and ports, and have also left the "You can use variables in SSH parameters" at their default values.
Using my server IP in the main tab, Authentication "Database Native", and leave password empty, I test the connection but get The connection attempt failed. syslog reports that connection to the IP on port 5432 failed which makes sense because I am set up using Unix sockets.
So, then I change the server IP on the main tab to 127.0.0.1 (or localhost) and try again but get FATAL: Ident authentication failed for user "my_username". Okay, a little closer, but not quite there.
I think it might be because DBeaver is passing the port so I attempt to disable this part by got to the Edit Driver tab and changing jdbc:postgresql://{host}[:{port}]/[{database}] to jdbc:postgresql://{host}/[{database}], but now get Connection to 127.0.0.1:5432 refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.
Not sure where to go next. When I PuTTY into the Linux machine, all is good but not when connecting remotely using DBeaver, and thought it would be the same if I am using SSH to connect DBeaver to the server. How can this be accomplished?
As pointed out in the other answer, DBeaver's SSH tunnel option doesn't support sockets currently. It is always TCP port based, so only connections using the host options in pg_hba.conf can be made (I've placed a feature request for SSH socket forwarding in DBeaver).
Here's how to set up forwarding of a local TCP port to a remote Unix socket. This allows you to use peer authentication over the Unix socket, so you don't have to provide a password for the PostgreSQL role:
ssh username#dbserver.example.com -L 5555:/var/run/postgresql/.s.PGSQL.5432 -fN
While I think that ssh tunnelling can be set up to connect to a unix socket rather than a port, I don't think dbeaver offers a way to do that, so you would have to set it up separately.
Although ident should also work if your server runs the identd service. I think most linux don't do that by default, but just apt install oidentd or whatever the equiv would be on your package manager should fix that.
The easier solution would be to just change the method from ident to md5 or scram, and assign a password (which dbeaver offers to memorize).
Related
As the title suggest I'm trying to configure a postgresql server to be accessible remotely. I've followed many guides and viewed some of the other answers here however I'm still having trouble.
The details:
os, windows 10
postgresql version on host is 11.6
postgresql version on remote is 11.2 with anaconda install
I have changed the pg_hba.conf and postgresql.conf to allow for connections to the server.
More specifically I've added the line
host all all xxx.xx.x.0/0 trust
I can verify that the host is listening on local address 0.0.0.0:5432 via netstat.
I can ping the ip of the host from the remote, and I have set windows firewalls on the host to allow connection.
Yet I still recieve the following error when trying to access psql from the remote.
psql: could not connect to server: Connection timed out (0x0000274C/10060)
Is the server running on host "xxx.xx.x.144" and accepting
TCP/IP connections on port 5432?```
I had to double check the windows firewall permissions. The connection was enabled but the application was not set to allowed. It turns out a local user can enable connection but I needed the system admin to set the application executable to allowed by the windows fire wall.
I am trying to fetch data from the Postgres server which is remotely available from Amazon EC2 instance. When I try to telnet the remote server, it is connected.
But when I am running a kafka connector which connects to the remote Postgres server it throws an error stating
FATAL: no pg_hba.conf entry for host, SSL off for configuration Couldn't open a connection to jdbc:postgresql://<url>
I tried changing the connection string from
jdbc:postgresql://host:5432/schema_name?user=******&password=******&defaultFetchSize=250000&useCursorFetch=true
to
jdbc:postgresql://host:5432/schema_name?ssl=true&user=******&password=******&defaultFetchSize=250000&useCursorFetch=true
then it throws another error which is
The server does not support SSL. for configuration Couldn't open a connection to jdbc:postgresql://<url>
There is no SSL support in the Postgres server because I can connect to the server through any DB connector without ssh. I am sure it has to do something with the security access group of EC2(considering I can telnet to the server from the instance). Any help would be much appreciated.
Looks like error is in the pg_hba.conf. I would have put this as a comment but not enough rep.
When you telnet to the server did you use the db port?
Can you post your pg_hba.conf file. This is one off my home dev server. You'll need to add a line similar to this: host all all 192.168.1.1/24 md5 with your IP addr and details.
If you're using this in a corporate network I'd highly recommend looking at a amazon VPC and not to expose your database to the internet.
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5
host all all 10.10.187.1/24 md5
I am running openerp(odoo) application from amazon cloud server using putty and it is ubuntu Headless(NO GUI) server. PostgreSQL is the database used for this application. Right now I am only able to access it in command mode as there is no gui in Putty. In Windows, I have installed pgadmin3. Is it possible to access it from here by configuring?
You can configure your security group to open up the postgres port accessible from your IP address (I would highly recommend the access to be limited that way). After that you can just point your GUI client the external IP address of your instance using the port where the service is running on.
I suggest you to use pgadmin gui tool to access postgres database.
You can set up an SSH tunnel in putty and use that to access the remote database with your local pgadmin3. This is a very good and secure way to do things.
First, in Putty (Connection / SSH / Tunnels) add a source port of your choice, 5000 for example. Then enter localhost:5432 for Destination (providing postgres is running on port 5432 on the server). Press Add and save your session. Next time you open your ssh connection with Putty, the tunnel will be active.
After this, set up a new connection in pgadmin3, Host: localhost and Port: 5000 (and your username and pasword, of course). Now, if the putty session is active, you should be able to connect.
In postgresql.conf file, find a line called
listen_addresses = 'localhost' and change it to '*'
Next in pg_hba.conf add this line in IPV4 local connections,
host all all (Your external ip address in CIDR format) trust
Finally restart the database using this command,sudo service postgresql restart
I am trying to execute this psql command using a batch script:
psql --host=localhost --dbname=<dbname> --port=<Port Number>
--username=<dbuser> --file=C:\PSQL_Script.txt --output=C:\PSQL_Output.txt
The problem is that it's asking for the password every time I execute the batch script. How can I password argument through the batch file?
Keep reading, the best options come last. But let's clarify a couple of things first.
Only silence the password request
If your issue is only the password prompt, you can silence it. I quote the manual here:
-w
--no-password
Never issue a password prompt. If the server requires password authentication and
a password is not available by other means such as
a .pgpass file, the connection attempt will fail. This option can be
useful in batch jobs and scripts where no user is present to enter a password. (...)
You probably don't need a password
Normally this is unnecessary. The default database superuser postgres usually corresponds to the system user of the same name. Running psql from this account doesn't require a password if the authentication method peer or ident are set in your pg_hba.conf file. You probably have a line like this:
local all postgres peer
And usually also:
local all all peer
This means, every local user can log into a all database as database user of the same name without password.
However, there is a common misconception here. Quoting again:
This method is only supported on local connections.
Bold emphasis mine.
You are connecting to localhost, which is not a "local connection", even though it has the word "local" in it. It's a TCP/IP connection to 127.0.0.1. Wikipedia on localhost:
On modern computer systems, localhost as a hostname translates to an
IPv4 address in the 127.0.0.0/8 (loopback) net block, usually 127.0.0.1, or ::1 in IPv6.
Simple solution for local connections
Omit the parameter -h from the psql invocation. Quoting the manual on psql once more:
If you omit the host name, psql will connect via a Unix-domain socket
to a server on the local host, or via TCP/IP to localhost on machines
that don't have Unix-domain sockets.
Windows
... doesn't have Unix-domain sockets, pg_hba.conf lines starting with local are not applicable on Windows. On Windows you connect via localhost by default, which brings us back to the start.
If your security requirements are lax, you could just trust all connections via localhost:
host all all 127.0.0.1/32 trust
I would only do that for debugging with remote connections off. For some more security you can use SSPI authentication on Windows. Add this line to pg_hba.conf for "local" connections:
host all all 127.0.0.1/32 sspi
If you actually need a password
You could set an environment variable, but this is discouraged, especially for Windows. The manual:
PGPASSWORD behaves the same as the password connection
parameter. Use of this environment variable is not recommended
for security reasons, as some operating systems allow non-root
users to see process environment variables via ps; instead
consider using the ~/.pgpass file (see Section 32.15).
The manual on psql:
A conninfo string is an alternative to specify connection parameters:
$ psql "user=myuser password=secret_pw host=localhost port=5432 sslmode=require"
Or a URI, which is used instead of a database name:
$ psql postgresql://myuser:secret_pw#localhost:5432/mydb?sslmode=require
Password File
But it's usually preferable to set up a .pgpass file rather than putting passwords into script files.
Read the short chapter in the manual carefully. In particular, note that here ...
A host name of localhost matches both TCP (host name localhost) and Unix domain socket (pghost empty or the default socket directory) connections coming from the local machine.
Exact path depends on the system. This file can store passwords for multiple combinations of role and port (DB cluster):
localhost:5432:*:myadmin:myadminPasswd
localhost:5434:*:myadmin:myadminPasswd
localhost:5437:*:myadmin:myadminPasswd
...
On Windows machines look for the file in:
%APPDATA%\postgresql\pgpass.conf
%APPDATA% typically resolves to: C:\Documents and Settings\My_Windows_User_Name\Application Data\.
I had kinda same problem:
psql -hlocalhost -d<myDB> -U<myUser>
always prompted me for password. This is as #Erwin explained because of -hlocalhost is connecting through TCP and not through the Unix-domain socket (for Unix based OS). So even if you've configured your local as trusted:
local all all trust
it will still prompt for password. So in order to configure the -hlocalhost to work through TCP I had to configure the host for localhost addresses, like so:
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
But this didn't work for me. What I had to do is combine both of those as:
host all all localhost trust
Some additional readings:
Configuring pg_hba.conf file
Authentication methods: trust, peer, ident, etc.
postgres Documentation - https://www.postgresql.org/docs/9.6/static/app-psql.html
-w
--no-password
Never issue a password prompt. If the server requires password authentication and a password is not available by other means such as a .pgpass file, the connection attempt will fail. This option can be useful in batch jobs and scripts where no user is present to enter a password.
I found this hack of passing a connection string to command i.e.
$ psql postgresql://{DB_USER}:{DB_PASSWORD}#{DB_HOST}:{DB_PORT}/{DB_NAME}
`Example:
$ psql postgresql://user:password#127.0.0.1:5432/database
This way, if you have to pass in the database password but you don't want to keep on passing it in the prompt, you can just do this in your bash file.
I just recently install PostgreSQL on our server via SSH. The installation went successful, until the time I tried to connect to it using pgAdmin on my Windows machine.I received this kind of error:
could not connect to server: Connection refused (0x0000274D/10061) Is
the server running on host "xxx.xxx.xxx.xxx" and accepting TCP/IP
connections on port 5432?
xxx.xxx.xxx.xxx = my server's public IP.
The docs suggest this can be fixed by setting the value of listen_addresses = '*' in the /etc/postgresql/9.1/main/postgresql.conf. I did that but still it won't let me.
additional error came up
FATAL: no pg_hba.conf entry for host "xxx.xx.xxx.xxx", user
"postgres", database "postgres", SSL on FATAL: no pg_hba.conf entry
for host "xxx.xx.xxx.xxx", user "postgres", database "postgres", SSL
off
xxx.xx.xxx.xxx = my IP address.
What seems to be I'm missing?
Things that could block a postgres connection:
misconfigured listen_address in postgresql.conf
selinux (?)
iptables
pg_hba.conf (although this should cause a different error, not server doesn't listen)
Can you connect to the server locally, if you ssh in and run psql?
On our internal dev servers, I just turn off selinux and iptables. This is a bad idea from a security standpoint, but it might serve as a temporary step to help you narrow down where the problem is.
You might need to change more than one configuration file. In your case, you probably need to edit pg_hba.conf, too. Search that file for "non-local connections".
I like to keep configuration files under version control. It's easier to recover from mistakes that way.
You probably need to restart the PostgreSQL server after making those changes.
After changing listen_addresses settings on the server, make sure to restart the PostgreSQL server (send SIGHUP to the postmaster process, with kill -HUP, etc).
Make sure that postgresql.conf port is set to 5432
Make sure that if a firewall is running on the server, that port 5432 is open for connections coming from the window's (client) machine you are using
Check pg_hba.conf to make sure that the subnet of your client machine is given access
Try using psql locally