PostgreSQL multiple authentication methods - postgresql

How can I set up multiple authentication methods for the same host/database/user rule? I want to be able to log in to my postgres user using both sudo -u postgres psql -U postgres (without having to enter a PostgreSQL password) and psql -U postgres --password. Something like the following in pg_hba.conf:
local all postgres md5
local all postgres peer
I can only get one method or the other working at the same time.
Thanks.
(I am using PostgreSQL 9.1).

Nope. Only one auth method is supported for any given configuration.
I'd love it if Pg could support fall-back authentication, where if an ident check fails it allows md5 auth instead. It doesn't support this at the moment, though, and I suspect (I haven't verified) that a protocol change would be required to support it.
What you can do is store the password in a $HOME/.pgpass file for the postgres system user. Give it mode 0600 so it's only readable by the postgres user and by root, both of whom can get direct access to the database files and configuration anyway. That way you get easy admin and md5 auth. On some systems you may have to set and create a home directory for the postgres user before you can do this. See getent passwd postgres to see if if the postgres user has a homedir and if so, where it is.
(UPDATE: used to read $HOME/.psqlrc - which is useful, but .pgpass is suitable for password storage)

Related

Postgresql: How do I set the password for the user 'postgres' when I can't access the postgresql database?

I'm running postgresql 10.12 on Ubuntu 18.04.
I'd like to experiment with a software package that uses postgres. This means I should figure out how to set up users, passwords and databases under postgres.
Postgres is running, but there's no way to log in to it.
I'm pretty sure there is a user called 'postgres'.
Logging in as this user without providing a password fails.
Also, attempting to use the passwords 'postgres' or 'root' fail.
How do I change the password for the user 'postgres' without being able to access the database?
This is a newbie-level recipe to modify initial password, which works on all fresh installations of the postgresql package on Linux Debian/Ubuntu and derivatives.
Go to the shell and switch user to postgres
(in user shell) sudo su - postgres
connect to the postgres database as postgres user
(in postgres shell) psql postgres postgres
now you can modify password of postgres user
(in postgres psql) ALTER USER postgres PASSWORD 'newsecret';
quit psql
(in postgres psql) \q
quit postgres shell
(in postgres shell) exit
test connection with new password
(in user shell) psql -h localhost postgres postgres
Note on remote postgres servers
In step 1 above, you can use ssh or kubectl exec or anything like that, if you have this kind of access.
Best Practice note
Above recipe (though it answers the OP question) is not a good practice. The best approach is:
Read and understand client auth -> https://www.postgresql.org/docs/current/client-authentication.html
Do not use postgres database user (or any other superuser!) for applications/development. Create your own user instead. For the simplest setup, use this:
(in psql shell)
CREATE USER myapp PASSWORD 'secret';
CREATE DATABASE myapp;
ALTER DATABASE myapp OWNER TO myapp;
-- alternative if you want to keep default ownership:
-- GRANT ALL ON DATABASE myapp TO myapp;
This should be done instead of modifying postgres user and/or postgres database.

postgres uses a database password or a user password

I imported a postgres database in my local postgres server.
I had to connect to the database (to allows django to retrive data) using the file called setup.local.
There is required to specify: DB_HOST=localhost, DB_NAME, DB_USER, DB_PASSWORD.
DB_HOST is localhost without any doubt. The DB_name is the one I choose importing (psql imported_db < downloaded_DB)
DB_USER is my_name (or I can change the owner ALTER DATABASE imported_db OWNER TO other_name).
The wire thing, for me, is that I have to use the user (either the my_name or other_name) password and not the database password (even if the variable name is DB_PASSWORD).
So the question:
does a psql database have a password or just the roles/users have ones and use them to access the database?
Andrea
Passwords are set for USER and ROLE only. A user may access multiple databases, according to the GRANTs for the ROLE.
See also:
https://www.postgresql.org/docs/10/static/ddl-priv.html
https://www.postgresql.org/docs/10/static/client-authentication.html
https://www.postgresql.org/docs/10/static/user-manag.html
DB_HOST=localhost is a key here. Look into the pg_hba.conf you will find ident against localhost connections most probably.
https://www.postgresql.org/docs/current/static/auth-methods.html#AUTH-IDENT
When ident is specified for a local (non-TCP/IP) connection, peer
authentication (see Section 20.3.6) will be used instead.
https://www.postgresql.org/docs/current/static/auth-methods.html#AUTH-PEER
The peer authentication method works by obtaining the client's
operating system user name from the kernel and using it as the allowed
database user name (with optional user name mapping). This method is
only supported on local connections.

How can I require postgres login to require a password

$ psql --password --username=postgres template1
Password for user postgres:
psql (9.4.7)
Type "help" for help.
template1=#
I am able to log in no matter what I type for the password.
There could be a few different things going on, and it's hard to know which without knowing more about your configuration.
Specifically, you should look at your pg_hba.conf file for that database. The most likely situation is that you have a line that looks something like:
local all postgres trust
That line will allow: anyone who has command-line access to the server (local) to log into any database (all) as the postgres user (postgres) without password authentication (trust).
If you have a line like that, that's your problem. You can change trust to md5 (or something else -- see this documentation page for more options), and that will start enforcing passwords for local database access.
If you don't see a line like that, there's something else going on.

Change my postgresql password in OSX?

I am trying to set my local postgresql so it does not have a password. I understand that this has to be done in the pg_hba.conf file and to acceess that file I have to be a postgres user. But to be a postgres user, I have to login with su postgres and enter the password that I don't have.
Any solution to this (I am on OSX)?
You're confusing several different concepts about the security model.
There is a postgres operating system user, which the PostgreSQL server runs as in order to isolate its data files and to limit damage in case of a security breach or application bug. PostgreSQL won't run as root for security. This user doesn't generally have a password, but you can change to it via the root account using sudo - you can sudo to this user with something like sudo -i -u postgres.
There is also a postgres database user, the default database superuser. This user doesn't generally have a password by default, but pg_hba.conf allows the postgres operating system user to connect as the postgres PostgreSQL user using peer authentication.
If you want you can change the configuration so that you use a password for the postgres database user, so you can psql -U postgres from any system user account:
ALTER USER postgres WITH ENCRYPTED PASSWORD 'blahblah';
Edit pg_hba.conf ("hba" is "host-based authentication") to use md5 authentication for local and host connections.
Re-start or re-load PostgreSQL
Similarly, if you want to allow any system user to connect as any database user without a password, you must modify pg_hba.conf and set trust as the authentication mode for local and host connection types. Please only use trust authentication for testing.
To learn more, see the client authentication chapter in the PostgreSQL documentation.

fabric postgres password in command

I have a fabric script that dumps database on server. And I can use it on multiple servers with the PostgreSQL database. The command is simple:
sudo("su postgres -c \"PGPASSWORD=%s pg_dump %s > /tmp/telemedia_newdb\""
% (HOST_SOURCE_DB_UPASS,HOST_SOURCE_DB))
But sometimes, Postgres does not ask for a password at all ...
Will this command fail without a password prompting from Postgres? (Or I know that it will not prompt and HOST_SOURCE_DB_UPASS=''). I want THIS code to work with or without password.
It all depends on how you set up access to your database in pg_hba.conf. There is a separate config file per database cluster (effectively per port) and settings can be different from database to database.
So, yes, if you have set it up that way, then the system user postgres will have password-less access to some databases but is prompted to enter a password for others. The default is that the system user postgres has password-less access to every database as database user of the same name (postgres).
If you provide a password in the command with the environment variable PGPASSWORD, but no password is needed, it will be ignored silently.
However, I quote the manual here:
PGPASSWORD (...) Use of this environment variable is not recommended for security reasons.
You can use a password file to provide passwords automatically (.pgpass on Unix systems). pg_dump will use it.
Finally, consider the command line options:
--no-password
--password
to force pg_dump to either prompt or not prompt for a password. If a password is required but disabled by --no-password, pg_dump will fail.
I would enable password-less access for the system user postgres to every database in the config file pg_hba.conf. Use peer or ident authentication methods. Then you don't have to provide a password and the script will always work:
local all postgres ident
Your script would be simplified to (untested):
sudo("su postgres -c \"pg_dump %s > /tmp/telemedia_newdb\"" % (HOST_SOURCE_DB))