Is Postgres Ignoring the "trust" in pg_hba.conf File? - postgresql

I have the following lines in my pg_hba.conf file:
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host all all localhost trust
and I've restarted Postgres. When I connect at the command line everything works as expected:
$ psql -U me -W
Password for user me: # I can type any password and it will work
psql (9.5.7)
Type "help" for help.
me=#
However, when I connect through a software library (the Node library pg, through the library knex) I get an error:
password authentication failed for user "me"
I'm not specifically looking for a fix, I'm just trying to understand how this is even possible. If I just told Postgres to trust anyone, how can I still be getting errors about authentication failing? Was there something wrong with my pg_hba.conf entries, or does Postgres just choose to ignore them under certain circumstances, or ....
EDIT
In case it helps the database connection URL my program is using to connect is:postgres://localhost:5432/mydb.

When you did psql -U me -h localhost, psql failed to connect because it doesn't know what database to connect to.
Solution is psql -U me -h localhost -d database_name
Hope this helps.

Related

Connection failed with psql and pgadmin4

I use postgres 11, I just try to connect with one of my user to psql and pgadmin4
my pg_hba.conf file
# "local" is for Unix domain socket connections only
local all all peer
host sito lcm_admin 127.0.0.1/32 md5
host sito sito_lcm 127.0.0.1/32 md5
My postgres user have a password.
I tried my posgres user, sito_lcm and lcm_admin to connect to pgAdmin4, alway get
Invalid username or password
I know there are good because It's the one I use to connect to posgres db in a java program
for psql i tried
su - postgres
typed my password
authentication fail
tried with one of my db user
psql -U lcm_admin sito
psql: FATAL: Peer authentication failed for user "lcm_admin"
Edit
With Daniel Vérité tips, I can connect to psql but not to pgAdmin4
First time i see this screen, my last connection was a few month ago, don't know if some updated had created this issue
Because of this rule in pg_hba.conf
host sito lcm_admin 127.0.0.1/32 md5
You probably want to invoke psql that way:
psql -U lcm_admin -h 127.0.0.1 sito
Then it will ask for a password instead of failing with "Peer authentication failed".
Note that rules in pg_hba.conf are tested in their order in the file (top to bottom), and it stops at the first one that matches.
About connectiong with pgAdmin4:
As mentioned in https://www.pgadmin.org/docs/pgadmin4/latest/getting_started.html there is an additional step to access pgAdmin4 itself, as an application.
In a server deployment, an email address and password are asked at installation time. If you don't remember the password but you gave a valid email address, the link "Forgotten your password" might work for you.
Otherwise I guess reinstalling pgAdmin4 from scratch might work too.
Personally, I launch pgAdmin4 as a docker container without a persistent volume:
$ docker run -p8080:80 -e PGADMIN_DEFAULT_EMAIL=foo#example.com -e PGADMIN_DEFAULT_PASSWORD=bar dpage/pgadmin4
Then I connect to http://localhost:8080 and the email/password to enter on the first page are those environment variables passed on the command line.

Password Error when logging into POSTGRES on my MAC

I am having an issue that has been bothering me for some time now. It is with postgres on my mac. I set a password for postgres and I can not remember it for some reason. I have looked up and attempted several different methods for trying to reset the password but none of them are working and I need it fixed as soon as possible.
Here is what my pg_hba.conf file
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
I reset the local all all trust and then restarted my postgres server running
brew services restart postgres
and when i go to try and open postgres on my terminal I get the same password issue:
omars-MacBook-Pro:postgres omarjandali$ psql -U postgres -W -h localhost
Password:
psql: error: could not connect to server: FATAL: password authentication failed for user "postgres"
or
omars-MacBook-Pro:~ omarjandali$ psql -h 127.0.0.1 -U postgres
Password for user postgres:
psql: error: could not connect to server: FATAL: password authentication failed for user "postgres"`
You only configured "local" connections which are using Unix domain sockets. But your psql command line tries to establish a TCP connection (-h ...), which is not configured in your pg_hba.conf.
You need to use host instead of localin pg_hba.conf to allow trusted, non-password connections through TCP.
But that is a really, really bad idea, because that means that as soon as your Mac is visible on the internet, everybody can connect to your Postgres instance and hack it. This isn't a theoretical threat - there have been numerous posts on this site regarding that.
If you want to allow connections without passwords, at least only allow them from "localhost", not from the outside:
# TYPE DATABASE USER ADDRESS METHOD
host all all samehost trust

Can't get password authentication to work

I want to do something very simple: create a PostgreSQL database and then connect to it using psql. So here's what I did:
sudo apt install postgresql-9.6 (on Ubuntu 18.04)
sudo -su postgres (start a shell for the postgres system user)
createuser -P foo (create a user and prompt for a password for that user)
createdb -O foo foo (create a database owned by the previously created user)
All this worked flawlessly, no errors anywhere. And yet, when I try to connect to the database using psql -h localhost -U foo foo, I can't access the database (the password is definitely correct). The error message is psql: FATAL: password authentication failed for user "foo"
/etc/postgresql/9.6/main/pg_hba.conf looks as follows:
local all postgres peer
local all all peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
It all looks fine to me, yet it just doesn't work. What am I missing here?
I have also tried alter user foo valid until 'infinity'. And while the command completed successfully, it didn't help with the problem.
// edit: I noticed something strange about this problem. When I remove the -h localhost, peer authentication fails (as expected, because there is no user foo on the system). This leaves three lines of logs in /var/log/postgresql/postgresql-9.6-main.log. However when I do use the -h localhost flag, no logs are generated at all.
//edit: I have now tried the same thing on a Fedora 28 machine and it works as expected. I have no idea what the difference might be (other than the operating system and postgres version (10.5)

Ecto Postgres install error password authentication failed

I created a phoenix project from the hello example using digital ocean. I entered the username and password from the etc/motd.tail file. I keep getting the error message below. I am a beginner and for some reason I just cannot get ecto to install correctly.
** (Mix) The database for Hello.Repo couldn't be created, reason given: psql: FATAL: password authentication failed for user "elixir"
FATAL: password authentication failed for user "elixir"
You can use the following Postgress database credentials:
* User: elixir
* Pass: ***
install. Any help would be appreciated.
I get the same error using Ubuntu 14.04 and I corrected resetting the 'postgres' password:
$ sudo -u postgres psql -c "ALTER USER postgres PASSWORD 'postgres';"
and restart postgres service:
sudo service postgresql restart
I assume this error is happening on the mix ecto.create task?
This happens because Ecto uses psql to create the database, however this is no longer the case in the upcoming Ecto 2.0.
The following GitHub issue shows the same issue https://github.com/elixir-lang/ecto/issues/1207
The relevant comment with the fix is https://github.com/elixir-lang/ecto/issues/1207#issuecomment-172570064:
My database config (pg_hba.conf) was apparently wrong.
For anyone else encountering this:
host all my_user 127.0.0.1/32 trust will not work
host all my_user localhost trust will work
Please check your pg_hba.conf (likely in /etc/postsgresql/9.x/pg_hba.conf).
We just need to create a new postgresql username and password according to the files inside config folder using this db method
$ sudo -u postgres createuser <username>
$ sudo -u postgres createdb <dbname>
$ sudo -u postgres psql
psql=# alter user <username> with encrypted password '<password>';
psql=# grant all privileges on database <dbname> to <username> ;
I needed to update the pg_hba.conf to make this work.
I am using Fedora, so get to /var/lib/pgsql/data
# "local" is for Unix domain socket connections only
local all postgres peer
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 ident
Then I created an elixir user in postgres with databse creation capabilities and configured it in dev.exs (user/password/database)

psql: FATAL: Peer authentication failed for user "dev"

when i create a new user, but it cannot login the database.
I do that like this:
postgres#Aspire:/home/XXX$ createuser dev
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) y
Shall the new role be allowed to create more new roles? (y/n) y
then create a database:
postgres#Aspire:/home/XXX$ createdb -O dev test_development
after that, I try psql -U dev -W test_development to login, but get the error:
psql: FATAL: Peer authentication failed for user "dev"
I tried to solve the problem but failed.
Try:
psql -U user_name -h 127.0.0.1 -d db_name
where
-U is the database user name
-h is the hostname/IP of the local server, thus avoiding Unix domain sockets
-d is the database name to connect to
This is then evaluated as a "network" connection by Postgresql rather than a Unix domain socket connection, thus not evaluated as a "local" connect as you might see in pg_hba.conf:
local all all peer
Your connection failed because by default psql connects over UNIX sockets using peer authentication, that requires the current UNIX user to have the same user name as psql. So you will have to create the UNIX user dev and then login as dev or use sudo -u dev psql test_development for accessing the database (and psql should not ask for a password).
If you cannot or do not want to create the UNIX user, like if you just want to connect to your database for ad hoc queries, forcing a socket connection using psql --host=localhost --dbname=test_development --username=dev (as pointed out by #meyerson answer) will solve your immediate problem.
But if you intend to force password authentication over Unix sockets instead of the peer method, try changing the following pg_hba.conf* line:
from
# TYPE DATABASE USER ADDRESS METHOD
local all all peer
to
# TYPE DATABASE USER ADDRESS METHOD
local all all md5
peer means it will trust the identity (authenticity) of UNIX user. So not asking for a password.
md5 means it will always ask for a password, and validate it after hashing with MD5.
You can, of course, also create more specific rules for a specific database or user, with some users having peer and others requiring passwords.
After changing pg_hba.conf if PostgreSQL is running you'll need to make it re-read the configuration by reloading (pg_ctl reload) or restarting (sudo service postgresql restart).
* The file pg_hba.conf will most likely be at /etc/postgresql/9.x/main/pg_hba.conf
Edited: Remarks from #Chloe, #JavierEH, #Jonas Eicher, #fccoelho, #Joanis, #Uphill_What comments incorporated into answer.
Peer authentication means that postgres asks the operating system for your login name and uses this for authentication. To login as user "dev" using peer authentication on postgres, you must also be the user "dev" on the operating system.
You can find details to the authentication methods in the Postgresql documentation.
Hint: If no authentication method works anymore, disconnect the server from the network and use method "trust" for "localhost" (and double check that your server is not reachable through the network while method "trust" is enabled).
When you specify:
psql -U user
it connects via UNIX Socket, which by default uses peer authentication, unless specified in pg_hba.conf otherwise.
You can specify:
host database user 127.0.0.1/32 md5
host database user ::1/128 md5
to get TCP/IP connection on loopback interface (both IPv4 and IPv6) for specified database and user.
After changes you have to restart postgres or reload it's configuration.
Restart that should work in modern RHEL/Debian based distros:
service postgresql restart
Reload should work in following way:
pg_ctl reload
but the command may differ depending of PATH configuration - you may have to specify absolute path, which may be different, depending on way the postgres was installed.
Then you can use:
psql -h localhost -U user -d database
to login with that user to specified database over TCP/IP.
md5 stands for encrypted password, while you can also specify password for plain text passwords during authorisation. These 2 options shouldn't be of a great matter as long as database server is only locally accessible, with no network access.
Important note:
Definition order in pg_hba.conf matters - rules are read from top to bottom, like iptables, so you probably want to add proposed rules above the rule:
host all all 127.0.0.1/32 ident
While #flaviodesousa's answer would work, it also makes it mandatory for all users (everyone else) to enter a password.
Sometime it makes sense to keep peer authentication for everyone else, but make an exception for a service user. In that case you would want to add a line to the pg_hba.conf that looks like:
local all some_batch_user md5
I would recommend that you add this line right below the commented header line:
# TYPE DATABASE USER ADDRESS METHOD
local all some_batch_user md5
You will need to restart PostgreSQL using
sudo service postgresql restart
If you're using 9.3, your pg_hba.conf would most likely be:
/etc/postgresql/9.3/main/pg_hba.conf
This works for me when I run into it:
sudo -u username psql
I simply had to add -h localhost
The easiest solution:
CREATE USER dev WITH PASSWORD 'dev';
CREATE DATABASE test_development;
GRANT ALL PRIVILEGES ON DATABASE test_development to dev;
ALTER ROLE dev CREATEROLE CREATEDB;
In my case I was using different port. Default is 5432. I was using 5433. This worked for me:
$ psql -f update_table.sql -d db_name -U db_user_name -h 127.0.0.1 -p 5433
For people in the future seeing this, postgres is in the /usr/lib/postgresql/10/bin on my Ubuntu server.
I added it to the PATH in my .bashrc file, and add this line at the end
PATH=$PATH:/usr/lib/postgresql/10/bin
then on the command line
$> source ./.bashrc
I refreshed my bash environment. Now I can use postgres -D /wherever from any directory
pg_dump -h localhost -U postgres -F c -b -v -f mydb.backup mydb
Try in terminal:
>> psql -U role_name -d database -h hostname.<domain>.com -W