I'm pretty new to PostreSQL. I've spent all morning trying to get user logins working properly, and I'm terribly frustrated by now!
So, I have a PostGIS database, version 9.2, as part of the OpenGeo suite of software. I could access the database with the postgres user, but want to make a group role and user with access to a database so that it can create tables and update/select/delete etc. in that database.
I can create a user, that works, and I can login with that user. I can create a group role and assign privileges to the role. I can then add the user to the group role, and then can NO LONGER LOGIN!
It even got so that when I added the user postgres to the group, that user can't login. I remove the group but the inability to login persists.
Now, I have played with pg_hba.conf a lot. And I can now login as postgres, but only if 'trust' is enabled, and I can't login with any software, such as PGAdminIII.
It would be great to get some advice as to what is going wrong, and to enable authenticated logins again.
pg_hba:
Code:
# Database administrative login by Unix domain socket
local all postgres trust
local all gisadmin trust
# TYPE DATABASE USER ADDRESS METHOD
local all opengeo md5
local all opengeo md5
# "local" is for Unix domain socket connections only
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
host all gisadmin localhost trust
# IPv6 local connections:
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres peer
#host replication postgres 127.0.0.1/32 md5
#host replication postgres ::1/128 md5
Just as a final note, I would like to be able to login via a SSH tunnel. I could do that originally with the 'postgres' user, but now that I added and removed that user from a group, I can't.
Edit: the error messages...
If I login via SSH tunnel in PGAdmin with the correct password, I get the error "FATAL: password authentication failed for the user ..."
If I try to login via SSH tunnel in PGAdmin without a password, while the trust option is set, I get the error: "error connecting to the server: fe_sendauth: no password supplied".
The first error still happens when logging in locally, just via SSH and psql, but the second one goes away and I can log in.
output of \du+:
output of \dg+
I think this behaviour may be related with pgAdminIII, because i'm having similar issues and it seems every time i connect to my db as postgres using pgAIII and look at the definition tab in user properties, the check box for the "expiring date" is checked and either 1/1/1970 or 31/12/1969 are set as expiring date. The solution proposed by Daniel works, so it's obvious the problem is the expiration of the password.
Seems that this bug was corrected in pgAdmin 1.16.2 as you can see in the changelog:
http://www.pgadmin.org/development/changelog.php
Cheers
In the \du+ output, the Password valid until 1970-01-01 00:00:00+00... look quite suspicious. Strictly speaking, the passwords for gisadmin, postgisrw and postgres are no longer valid so that might explain why password-based authentication methods fail for these accounts.
You may try ALTER USER username valid until 'infinity' on these accounts and see if that solves the problem.
Also when connecting to PG through a SSH tunnel, be aware that the pg_hba.conf entries starting with host are ignored. These entries are only considered for connections to Unix domain sockets. Sometimes users confuse that with connections from localhost to itself.
Related
I'm using Postgresql, and I have a database named django_db and a user manuel. I want to connect to this database by this user, I tried this \c django_db manuel but I get this error:
FATAL: Peer authentication failed for user "manuel"
Previous connection kept
How can I solve this problem?
Make sure the user manuel has access to the database django_db in the pg_hba.conf file, e.g.
host django_db manuel your_ip_adress md5
Or if you prefer to give this user access to all databases
host all manuel your_ip_adress md5
After modifying your pg_hba.conf you have to either restart postgres or simply reload the file using the following function:
SELECT pg_reload_conf();
Unless you have a user mapping in place, only the OS user named 'manuel' can connect as the PostgreSQL user named 'manuel'. This is what "peer authentication" means.
You have many choices here. Try this as an OS user named 'manuel', or change from peer to some other type of authentication (in pg_hba.conf), or create a pg_ident.conf file (and then configure pg_hba.conf to use it) that allows the OS user you actually are to login as PostgreSQL user 'manuel'.
i want to give read only access to a user in my Postgres database.
I have created the user and gave read access to certain schema's and add his IP in pg_hba.config file,but the issue is that the user don't have a particular IP ,today he connects from a different IP and get's the same error.So adding the IP to pg_hba is not an option.
FATAL: no pg_hba.conf entry for host "67.xxx.xxx.53", user "abc_read", database "postgres", SSL on FATAL: no pg_hba.conf entry for host "67.xxx.xxx.53"
So is there a way to give access via SSH Key or certificates, not sure how certificates works in postgres?
can anyone give me a hint/suggestion on this?
I'm trying to configure my PostgreSql database ("mydb") in order to give login rights to the windows "LocalSystem" account.
I've created a user in my database named LocalSystem
SQL> CREATE USER LocalSystem;
Then, I've tried using SSPI config in pg_hba.conf, but maybe I've misconfigured the configuration line:
# TYPE DATABASE USER ADDRESS METHOD
host mydb LocalSystem 127.0.0.1/32 sspi
When I run a command using psql, I'm asked to provide a password...which i didn't expect..
EDIT:
I've also tried to map my domain account to a postgres user, using
pg_ident.conf
#MAPNAME SYSTEM-USERNAME PG-USERNAME
postgresname domain\username postgresname
pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD
host mydb postgresname 127.0.0.1/32 sspi
Does someone know what should I do?
Thanks
It asks for the password of the Postgres account, not the Windows account. you can set the Postgres password through ALTER ROLE or in psql using the \password command
You need to add new mapping line to pg_ident.conf:
anyMappingName "SYSTEM#NT AUTHORITY" postgresUserName
Add this mapping to all active lines in pg_hba.conf:
host mydb all 127.0.0.1/32 sspi map=anyMappingName
Then you should connect to postgres db as postgresUserName user. I mean you should define Username in your connection string, and also define IntegratedSecurity as TRUE.
For example, postgresUserName can be "LocalSystem" user, that you created in postgres db earlier, or superuser "postgres".
I have a certain schema in a PG database that contains some very sensitive data. I'd like to prevent access to it for every role except one, but I can't figure it out from the documentation on permissions.
To begin with, I figured I'd only give CONNECT access to that one special role, but then every other role can connect to the schema. To make things worse, every role can also CREATE, DROP, and do everything else.
What have I missed?
Side question: in time, this schema will be a streaming destination from another instance of postgresql. In short, we have a master db server that supports a live web site, and we need a secondary, read-only copy of it on another machine to perform some computationally intensive queries on. We figured that streaming was the answer. Does this make sense? Is it still possible to protect access to it?
We are using version 9.5, in case this is relevant.
You can edit the file /etc/postgresql/9.5/main/pg_hba.conf and put this content:
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# IPv4 local connections:
host all YOUR_USER [USER_IP]/32 md5
It will allow connections with a password for this specific user from this specific LAN/WAN IP.
Only this user and postgres will be allowed.
in time, this database will be a streaming destination from another instance of postgresql.
When this database becomes a replication master you can add the following to the same file:
# Allow replication connections from localhost, by a user with the
# replication privilege.
host replication REPL_USER [REPL_HOST]/32 md5
More info on how to set up the replication here: https://www.gab.lc/articles/replication_postgresql
After the changes you need to reload PostgreSQL with:
service postgresql reload
You can drop the roles you don't want to allow.
Update:
If you wish to revoke privileges with a query you can run:
-- Grant privileges to whitelisted user:
GRANT ALL PRIVILEGES ON [database name] TO [good_user];
-- Revoke privileges for other users:
REVOKE ALL PRIVILEGES ON [database name] FROM [bad_user];
I am trying to set my local postgresql so it does not have a password. I understand that this has to be done in the pg_hba.conf file and to acceess that file I have to be a postgres user. But to be a postgres user, I have to login with su postgres and enter the password that I don't have.
Any solution to this (I am on OSX)?
You're confusing several different concepts about the security model.
There is a postgres operating system user, which the PostgreSQL server runs as in order to isolate its data files and to limit damage in case of a security breach or application bug. PostgreSQL won't run as root for security. This user doesn't generally have a password, but you can change to it via the root account using sudo - you can sudo to this user with something like sudo -i -u postgres.
There is also a postgres database user, the default database superuser. This user doesn't generally have a password by default, but pg_hba.conf allows the postgres operating system user to connect as the postgres PostgreSQL user using peer authentication.
If you want you can change the configuration so that you use a password for the postgres database user, so you can psql -U postgres from any system user account:
ALTER USER postgres WITH ENCRYPTED PASSWORD 'blahblah';
Edit pg_hba.conf ("hba" is "host-based authentication") to use md5 authentication for local and host connections.
Re-start or re-load PostgreSQL
Similarly, if you want to allow any system user to connect as any database user without a password, you must modify pg_hba.conf and set trust as the authentication mode for local and host connection types. Please only use trust authentication for testing.
To learn more, see the client authentication chapter in the PostgreSQL documentation.