I'm currently really struggling with a postgres 9.1 database which i need for testing my software. I did not create this database but i used to log in before with postgres as a user and password. However, right now it is impossible for me to create a connection even with pgadmin3 from the same machine the database is running on. I tried a million combinations in pg-hba.conf like:
host all all 192.168.10.178/32 trust
or
host all all 0.0.0.0/0 trust
or
host example postgres 192.168.10.178/32 trust
or
host all all ::1/128 md5
Ip4 adress of server is 192.168.10.178, subnet mask is 255.255.245.0. The machine is running windows server 2008 and i'm logged in with admin rights (if that matters). In postgresql.conf the following lines are set:
listen_addresses = '*' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost', '*' = all
# (change requires restart)
port = 5432 # (change requires restart)
I'm not familiar at all with postgres and what i read until now about pg_hba.conf did not get me any further. I would have expected that at least with the second setting from above it would let me log in without password not caring about user or host ip. But somehow pgadmin 3 still asks for a password for user 'postgres' and if i use 'postgres' it just tells me:
password-authentication for user 'postgres' failed
Please, can anyone tell me what the hell i'm supposed to do?
This is what my settings look like:
# TYPE DATABASE USER ADDRESS METHOD
# IPv4 local connections:
host all all nnn.nn.nnn.nnn/32 trust
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
(Obviously the n's are numbers I've hidden from my actual IP address.)
As #VaoTsun said, make sure the lines are in the order you wish them applied, because the first one that matches will be what is used. So if for example you have samenet set to md5, then next line you have samehost set to trust, you will get md5 because samenet is valid for your connection.
However I strongly suspect the issue is that the IPv6 connection entry is either commented out, or set to md5 (or both). I don't know exactly why, but I know on a lot of our 2008 servers, it will use the IPv6 setting rather than the IPv4. Maybe it depends if IPv6 is enabled on the machine. Set that entry as per my settings above, and I bet that will do it.
Also, unless you've configured PGAdmin to save your password, it will still ask you for a password even if trust is properly set. Just hit enter without typing in a password, and it should allow you in. (Assuming your settings have been set correctly.)
Related
In postgresql.conf I have:
listen_addresses = "*"
My pg_hba.conf looks like:
local all postgres md5
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
#host all all myIPADDRESS md5
If I uncomment the last line
pgadmin says it cannot access and to make sure whether the port is accessible. I have flushed the iptables to have no rules, so the firewall is not stopping it.
local access to the database from my scripts is not working
With the last line commented:
pgadmin says that no pg_hba.con entry for my IP address
I am able to access the database locally on the server from my scripts
What am I missing to make the configuration right?
Thanks.
Looking at this post. After adding to pg_hba.conf:
host all all ::/0 trust
host all all my.ipv4.IP/32 trust
It works now.
Not sure if order is important in pg_hba.conf but, I put mine at top and also tried with and without IP and both worked.
Had same problem with psql via command line connecting and pgAdmin not connecting on RDS with AWS. I did have my RDS set to Publicly Accessible. I made sure my ACL and security groups were wide open and still problem so, I did the following:
sudo find . -name *.conf
then sudo nano ./data/pg_hba.conf
then added to top of directives in pg_hba.conf file host all all 0.0.0.0/0 md5
and pgAdmin automatically logged me in.
This also worked in pg_hba.conf file
host all all md5 without any IP address and this also worked with my IP address host all all <myip>/32 md5
As a side note, my RDS was in my default VPC. I had an identical RDS instance in my non-default VPC with identical security group, ACL and security group settings to my default VPC and I could not get it to work. Not sure why but, that's for another day.
I don't understand the pg_hba.conf documentation. It seems to say that I could add this entry:
host all all md5
or this entry
host all all *.*.*.*/* md5
to allow access from anywhere.
But not only can I not connect to my local database using my VirtualBox guest IP of 10.0.2.15 with either of these lines, if I don't have
host all all 127.0.0.1/32 md5
then I can no longer connect even using 0.0.0.0 and 127.0.0.1
What line do I need to add to allow access from any IP (including inside Docker containers in my VirtualBox) using password authentication?
Here's my current, standard, hb_pga.conf file:
local all postgres peer
local all all peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
(All the below is based on the documentation for Postgres 9.5, but I'm not aware of any major changes for this syntax, so it should apply to anything vaguely recent.)
As far as I know, the line
host all all md5
isn't valid syntax. When using the host record type, the following formats are available
host database user address auth-method [auth-options]
host database user IP-address IP-mask auth-method [auth-options]
so a minimum of four additional arguments, whereas you've only provided three.
As per your comment, the line
host all all 0.0.0.0/0 md5
will work to allow connections from all IP address (based on subsequent password authentication). The /0 is a mask for which bits (literally the bits) of the IP address to validate against. /0 means you want to ignore the whole thing, i.e. allow all addresses. The mask 1.2.3.4/0 would mean exactly the same thing. It's not usually best practice to allow access from anywhere, but if you're dealing with non-public facing VMs or Docker containers then it's fine.
If you're using IPv6 connections, the syntax is very similar:
host all all ::/0 md5
For what it's worth, I've never come across the syntax
host all all *.*.*.*/* md5
I've been trying to edit pg_hba.conf file in order to be able to access the server using just the IP address with, so far, no success.
For example, I can access using «localhost», but I want to access using the IP address that my router gave me which is something like 192.168.1.X
This is mi pg_hba.conf:
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres trust
#host replication postgres 127.0.0.1/32 trust
#host replication postgres ::1/128 trust
host all all 0.0.0.0/0 trust
Any help?
First, edit the postgresql.conf file, and set listen_addresses. The default value of 'localhost' will only listen on the loopback adaptor. You can change it to '*', meaning listen on all addresses, or specifically list the IP address of the interfaces you want it to accept connections from. Note that this is the IP address which the interface has allocated to it, which you can see using ifconfig or ip addr commands.
You must restart postgresql for the changes to listen_addresses to take effect.
Next, in pg_hba.conf, you will need an entry like this:
# TYPE DATABASE USER ADDRESS METHOD
host {dbname} {user} 192.168.1.0/24 md5
{dbname} is the database name you are allowing access to. You can put "all" for all databases.
{user} is the user who is allowed to connect. Note that this is the postgresql user, not necessarily the unix user.
The ADDRESS part is the network address and mask that you want to allow. The mask I specified will work for 192.168.1.x as you requested.
The METHOD part is the authentication method to use. There are a number of options there. md5 means it will use an md5 hashed password. 'trust' which you had in your sample means no authentication at all - this is definitely not recommended.
Changes to pg_hba.conf will take effect after reloading the server. You can to this using pg_ctl reload (or via the init scripts, depending on your OS distro).
I am new to this type of database and I try to connect to it through the command line specifying psql, and then entering the password as blank. I get the above error (in the title of this question).
I dont know what the default password.
pg_hba file:
IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
host replication DIMA 127.0.0.1/32 trust
host replication DIMA ::1/128 trust
postgresql.config
listen_addresses = '*' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost', '*' = all
# (change requires restart)
port = 5432 # (change requires restart)
I restart the server this way:
C:\metasploit\postgresql\bin\pg_ctl -D "C:\metasploit\postgresql\myData" -l logfile start
All I want is to enter the database and change my password. And preferably to enter the PgAdmin-III (in GUI form)
If you were using trust authentication (which you should only use for development, if then) you would not be prompted for a password by psql.
I'd say you didn't properly restart the server. Maybe use restart instead of start?
As Craig said, you probably didn't restart the server and you should use restart instead of start. (reload may work as well but not as sure on Windows)
But that is not your problem. The key problem is almost certainly that you are not connecting to localhost and you have lines in your pg_hba.conf that are requiring passwords from other hosts.
Note if you connect to an external IP address, you will hit a different or more general rule.
This error means, basically, that the pg_hba.conf file is set to password authentication but no password was supplied. If you cannot find the problem quickly, what IP address the connection is from should be in the postgresql log file.
As for using trust, you should certainly change it back after changing your password. Ordinarily I would agree with Craig that one should not use trust authentication outside of development, but it is a legitimate approach to password resets of important users, and on Windows, this has to be done in ways supported well on the platform.
As a final note the question is how you are logging in. If you are going to set this, you should probably use psql -h 127.0.0.1 [dbname] to ensure Windows doesn't do something weird like try to connect using the machine name (and hence external IP).
I'm trying to register new server in pgadmin3 with following settings:
Name: postgres
Host: localhost
Username: postgres
Password: <password which works for psql>
Service: empty or postgres
But it shows error:
FATAL: Ident authentification failed for user "postgres"
I've restarted postgresql service, but to no avail.
Contents of /var/lib/pgsql/data/pg_hba.conf:
# TYPE DATABASE USER CIDR-ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 ident
EDIT: Tools -> Server Configuration -> pg_hba.conf is greyed out.
It looks like PgAdmin-III is probably connecting over IPv6 by default, so it's using the ident line that matches the IPv6 address for localhost, ::1/128.
If you want to use password authentication, you probably want:
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
I'm not sure why you have the unix domain socket line set to trust, but that's probably OK if it's just a development machine, so leave it unchanged. It's really much safer to have it as ident (if you want the unix user to have to be the same as the Pg user) or md5 (for password auth on local unix sockets) though.
You'll need to edit pg_hba.conf directly in a text editor if PgAdmin-III doesn't have permissions to edit it. You could run PgAdmin-III as user postgres via sudo, but it's way safer (and probably easier) to just use nano or a similar command-line text editor to modify pg_hba.conf.
The password works for psql because psql will, unless told otherwise, connect over a unix domain socket, and you have that set to trust. You'll probably find you could give any password to psql and it'll still work, because it's never being asked to actually give the password, it's just being automatically trusted.
Yes this type of error is seen by every newbie user to pgadmin.
I have found this solution and it worked for me.
sudo -u postgres psql
This will ask for your system password and then you will get the postgres prompt.
and then in psql type below command to change the password.
\password
now enter the new password and re-enter it.
PostGreSQL Account Debugging Steps (Linux Specific):
Make sure you actually have it installed (not just the client, the server too).
Make sure it is running.
Make sure you know where this is - usually in /var/lib/pgsql/data - however this could be anywhere - /var/lib/pgsql/unrelated-instance. Check your postgres process to see which directory (-D argument) this is.
Modify the pg_hba.conf file in the directory from the last step. I have no idea why this step isn't in the postgres documentation.
The specific configuration has been covered in e.g. Jay and Craig Ringer's answer. Make sure to configure both IPV4 and IPV6.
Restart the server.
Test that your configuration worked. Repeat 5-7 until you can login successfully.
Important Don't stop! Now you should configure a more secure password option - postgres may be fine for doing quick local setup, but you want to be using a more secure, configurable authentication mechanism, like LDAP, Kerberos, or GSSAPI. Additionally, you want to make sure you have SSL turned on.