I am trying to configure ssl certificate for PostgreSQL server. I have created a certificate file (server.crt) and key (server.key) in data directory and update the parameter SSL to "on" to enable secure connection.
I just want only the server to be authenticated with server certificates on the client side and don't require the authenticity of client at server side. I am using psql as a client to connect and execute the commands.
I am using PostgreSQL 8.4 and Linux. I tried with the below command to connect to server with SSL enabled
psql "postgresql://localhost:2345/postgres?sslmode=require"
but I am getting
psql: invalid connection option "postgresql://localhost:2345/postgres?sslmode"
What am doing wrong here? Is the way I am trying to connect to server with SSL mode enabled is correct? Is it fine to authenticate only server and not the client ?
psql below 9.2 does not accept this URL-like syntax for options.
The use of SSL can be driven by the sslmode=value option on the command line or the PGSSLMODE environment variable, but the default being prefer, SSL connections will be tried first automatically without specifying anything.
Example with a conninfo string (updated for psql 8.4)
psql "sslmode=require host=localhost dbname=test"
Read the manual page for more options.
psql --set=sslmode=require -h localhost -p 2345 -U thirunas \
-d postgres -f test_schema.ddl
Another Example for securely connecting to Azure's managed Postgres database:
psql --file=product_data.sql --host=hostname.postgres.database.azure.com --port=5432 \
--username=postgres#postgres-esprit --dbname=product_data \
--set=sslmode=verify-full --set=sslrootcert=/opt/ssl/BaltimoreCyberTrustRoot.crt.pem
Well, you could provide all the information with the following command in CLI, if a connection requires in SSL mode:
psql "sslmode=verify-ca sslrootcert=server-ca.pem sslcert=client-cert.pem sslkey=client-key.pem hostaddr=your_host port=5432 user=your_user dbname=your_db"
Found the following options useful to provide all the files for a self signed postgres instance
psql "host={hostname} sslmode=prefer sslrootcert={ca-cert.pem} sslcert={client-cert.pem} sslkey={client-key.pem} port={port} user={user} dbname={db}"
On psql client v12, I could not find option in psql client to activate sslmode=verify-full.
I ended up using environment variables :
PGSSLMODE=verify-full PGSSLROOTCERT=server-ca.pem psql -h your_host -U your_user -W -d your_db
psql "sslmode=require host=localhost port=2345 dbname=postgres" --username=some_user
According to the postgres psql documentation, only the connection parameters should go in the conninfo string(that's why in our example, --username is not inside that string)
psql -h <host> -p <port> -U <user> -d <db>
and update /var/lib/pgsql/10/data/pg_hba.conf to change the auth method to cert. Check the following link for more information:
https://www.postgresql.org/docs/9.1/auth-pg-hba-conf.html
Another pattern that worked with v8 is
psql -h host_name -p port -U user_name "dbname=db sslmode=require"
Related
I have initialized a pg database as such:
user_name#my_machine$ sudo -u postgres createuser -s user_name
user_name#my_machine$ createdb -T template0 db_name
I can now connect to it via psql via user_name#my_machine$ psql db_name
and everything works well with the CLI tooling.
The relevant auth line of /etc/postgresql/13/main/pg_hba.conf is:
local all all peer
Now I'd like to connect to it via PgAdmin 4, and I can't find a way to tell the interface that I want to connect via unix socket and don't need a password.
The sanest way I can think is:
but the connection is still rejected with a fe_sendauth: no password supplied.
I know I could configure a password for my user and give it, but I'd like to know if I can make PgAdmin behave properly.
Short answer: put /var/run/postgresql in host name/address.
In Ubuntu 16.04 I created second postgres database cluster, called cmg, with a local user as the admin user:
pg_create -u "local_username" -g "local_usergroup" -d /path/to/data/dir 9.5 cmg
The cluster was started with:
pg_ctrlcluster 9.5 cmg start
which ran successfully (pg_lsclusters show both are online)
The problem is I cannot connect to the cluster using psql as is normally done.
I tried using:
psql -h 127.0.0.1 -w -p5433 -U local_username
which fails with:
psql: fe_sendauth: no password supplied"
Is there any way to connect to the specific cluster?
use psql -h your_socket_dir -p5433 -U postgres to connect locally (uses peer auth by default - thus high chahce to login wothout password)
once logged in - set up password (create user if needed) and use it connecting remotely
psql -h 127.0.0.1 -p5433 -U local_username
in your connect string you had -w which is never ask for a password https://www.postgresql.org/docs/current/static/app-psql.html which would by default work only for local connections
I think the default pg_hba.conf when you start up a new cluster expects you to authenticate with peer connections, so you need to change user to your local user before connecting
[root#server~]# su - local_username
>> Enter password:
> password
[local_username#server~]# psql -h 127.0.0.1 -p 5433
You can check your pg_hba.conf file in /path/to/data/dir/pg_hba.conf to see how it expects you to authenticate.
Alternatively, if you cannot get access as your 'local_username' then instead su to postgres user in the instructions above and it should work
I need to specify sslmode=allow when using psql to connect to my PostgreSQL DB, like: psql sslmode=allow -h localhost -p 5432
otherwise I get server does not support SSL, but SSL was required
I tried specifying the same option to pg_dump but it doesn't recognize the option.
How do I specify sslmode to pg_dump?
You need to use the environment variable PGSSLMODE like this:
PGSSLMODE=allow pg_dump -h localhost -p 5432
see https://dba.stackexchange.com/a/227805
pg_dump "port=<port> host=<host> user=<user> dbname=<db> sslcert=<cert> sslkey=<key> sslrootcert=<ca.crt> sslmode=allow" -f <file>
I have Kubuntu 14.10 desktop with PostgreSQL 9.4 database installed.
I have changed the password of the postgres user in the database by executing the SQL:
ALTER USER postgres PASSWORD 'password';
And I can connect to DB server by psql -h localhost -U postgres -W and giving that password but I can also connect without a password requirement by simply psql -h localhost -U postgres.
On the other hand, if I run psql -h 127.0.0.1 -U postgres it prompts me for the password set before.
What is the difference between the localhost and 127.0.0.1 hosts and their login method? Where is it set? I see no localhost-related entries in the pg_hba.conf file.
The behavior you see might be caused by a password file. The password file is conventionally named ~/.pgpass on Unix systems, but a different filename can be given through the PGPASSFILE environmental variable.
I think a password file that contains a line for "localhost", but does not contain a line for "127.0.0.1" will show the behavior you're seeing. My own ~/.pgpass file contains this line.
localhost:*:*:postgres:password
Here's what happens when I try to connect just like you did.
$ psql -h localhost -U postgres
psql (9.3.5)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
sandbox=# \q
$ psql -h 127.0.0.1 -U postgres
Password for user postgres:
Adding the line 127.0.0.1:*:*:postgres:password to ~/.pgpass lets me log in using 127.0.0.1 and no password.
$ psql -h 127.0.0.1 -U postgres
psql (9.3.5)
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
sandbox=#
I just set up an Amazon RDS instance. I have a separate application server and I am trying to figure out how to connect to the RDS instance from my EC2 application server. On the Instance page, I have
enbdpoint: mycompany.czdv3mj7ps25.us-west-2.rds.amazonaws.com:5432
I tried to login into to psql using that address but I got
$ psql -h mycompany.czdv3mj7ps25.us-west-2.rds.amazonaws.com:5432 -U myuser -d mydb
psql: could not translate host name "mycompany.czdv3mj7ps25.us-west-2.rds.amazonaws.com:5432" to address: Name or service not known
How do I connect to the instances database? I don't see any other ip addresses in the RDS console.
You have wrong syntax. The correct syntax is:
$ psql --host mycompany.czdv3mj7ps25.us-west-2.rds.amazonaws.com --port 5432 --username myuser --dbname mydb
You have specified port information wrong in you command. the port has to be specified using --port option and not hostname:port
This syntax worked for me in the psql command line:
\connect dbname username hostname port#
If the information is correct it will take a couple seconds to process then it will ask for your password
Also make sure the security group for your instance, the outbound/inbound is setup to allow access from your IP