PostgreSQL with SSH port forwarding password problems - postgresql

I'm trying to connect on my computer to a PostgreSQL database which is only accessible on some server (db allows only local connections). I thought I could use port forwarding like this:
$ ssh someserver.com -L 5100:127.0.0.1:5432
and then connect to the database like this:
$ psql -h 127.0.0.1 -p 5100 -U postgres dbname
However, the problem is that on the server there is no password, but when I try to connect to the forwarded port it asks me for a password. When I leave it empty it returns "psql: fe_sendauth: no password supplied" and doesn't let me connect.
What could be the reason? I have also a PostgreSQL instance on my computer, could this cause some conflicts?

When you say that the db allows only local connections: you need to distinguish between "unix socket" connections and "TCP to localhost" connections, which are not the same thing and may be treated quite differently.
To test: on the database server, see if adding -h 127.0.0.1 onto the psql commandline makes a difference in whether you can connect or not.
The rules for whether a password is required or not are in pg_hba.conf. It might be that your database server is set to use "ident" authentication for unix ("local") connections, so your Unix username is automatically accepted as the database username. Since that authentication method isn't generally available for TCP/IP ("host") connections, you have to use some other method- if it is set to "md5", then it will require a password.
Probably all you have to do is set a password for your user account on the database while connected locally: ALTER USER username PASSWORD 'password'. If you want to avoid being prompted for a password all the time when connecting remotely, write a .pgpass file to store it in your client user account: http://www.postgresql.org/docs/9.0/interactive/libpq-pgpass.html

Related

Password Error when logging into POSTGRES on my MAC

I am having an issue that has been bothering me for some time now. It is with postgres on my mac. I set a password for postgres and I can not remember it for some reason. I have looked up and attempted several different methods for trying to reset the password but none of them are working and I need it fixed as soon as possible.
Here is what my pg_hba.conf file
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
I reset the local all all trust and then restarted my postgres server running
brew services restart postgres
and when i go to try and open postgres on my terminal I get the same password issue:
omars-MacBook-Pro:postgres omarjandali$ psql -U postgres -W -h localhost
Password:
psql: error: could not connect to server: FATAL: password authentication failed for user "postgres"
or
omars-MacBook-Pro:~ omarjandali$ psql -h 127.0.0.1 -U postgres
Password for user postgres:
psql: error: could not connect to server: FATAL: password authentication failed for user "postgres"`
You only configured "local" connections which are using Unix domain sockets. But your psql command line tries to establish a TCP connection (-h ...), which is not configured in your pg_hba.conf.
You need to use host instead of localin pg_hba.conf to allow trusted, non-password connections through TCP.
But that is a really, really bad idea, because that means that as soon as your Mac is visible on the internet, everybody can connect to your Postgres instance and hack it. This isn't a theoretical threat - there have been numerous posts on this site regarding that.
If you want to allow connections without passwords, at least only allow them from "localhost", not from the outside:
# TYPE DATABASE USER ADDRESS METHOD
host all all samehost trust

Cant login with postgresql user created via ansible

Normally, I would create create postgresql user like this.
sudo -u postgres psql
create user deploy_sample with password 'secret';
create database deploy_sample_production owner deploy_sample;
I tried to create the user through ansible script with this task
- name: Create database user
become: yes
become_user: postgres
postgresql_user:
user: user123
password: password123
encrypted: yes
state: present
This does create a user but i cant login using the creds.
I tried to login with this command psql --username=user123 --password. I get peer authenticate failuer error.
Ansible configuration looks correct, and may have nothing to do with the problem.
By the message we can see that it is trying to login with the Peer authentication method. This means that the O.S. user is being used to connect to the database instead of the provided password (see: https://www.postgresql.org/docs/10/auth-methods.html)
Two things you should look at:
How is your auth method configuration?
It is in the file: {data dir}/pg_hba.conf
It is possible that all local connections are configured to use peer (notice that are two types of local connections, one is called local = connection through unix socket, the other is host 127.0.0.1/32 = using network to reach localhost).
I would change the second one to use md5 method, this way you will be able to connect with user/pass using network, but still use peer for local connection - useful for the system user postgres
Connect with the application user using network
psql --username=user123 -> PSQL program will try to use local connections by default, meaning that the Peer authentication is used. You probably don't have the user user123 on the system so this will fail!
psql -h localhost --username=user123 -d <database> -> This way you will connect to local machine using network, thus allowing to authenticate with password.

Why can't I login to Postgres?

I've used MySQL for years so I might be naively layering my MySQL expectations on to Posgres, but I am hitting a wall. I created a user, flasktut with LOGIN CREATEDB but when I try to log in, I get
psql: FATAL: Peer authentication failed for user "flasktut" -- I tried resetting the password:
postgres=# ALTER USER flasktut WITH PASSWORD 'zx80xb1';
ALTER ROLE
and I'm still seeing the error. I suspect I'm doing something super obvious wrong here?
I think the simple answer to your question is that there are two parts to logging in, to a Postgres database, and you're considering only one.
Logging into Postgres, has two parts:
The outer security check ensures that certain IP addresses / subnets / local or foreign hosts can be (dis)allowed to even 'reach' the Postgres database. The second aspect to that is that a given combination of user / database is allowed to go through. Importantly, your current setup is probably missing this aspect, and although you've seemingly taken care of the point 2 (below), it doesn't matter, because the login attempts aren't even reaching step 2.
Once the login process gets through the outer check, the Database / User itself should be valid / existing and usable.
The first aspect (above) is controlled by the pg_hba.conf file, and what you need to ensure is that when the database parses through the pg_hba.conf file, the 'first' line that is permissive enough to apply to a given login scenario, is what is accepted as the effective 'rule' for that login attempt.
For e.g.
If logging in locally (without 127.0.0.1 or eth0 etc. IP addresses)
# "local" is for Unix domain socket connections only
local all all trust
Should allow any login process to get through. Once you're able to login, try to restrict and make things more secure (since the above would allow every attempt to go through).
Importantly, subsequent lines although may be more secure / apt they wouldn't apply if a previous line in the configuration file already is considered as a candidate for a login attempt. Also, don't forget to restart / reload Postgres after each change to pg_hba.conf.
If you omit the host name, psql will connect via a Unix-domain socket to a server on the local host, or via TCP/IP to localhost on machines that don't have Unix-domain sockets.
So edit the pg_hba.conf file and add/update the lines:
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
Restart the server for the changes to take effect.
Now run psql -d <your_db> -U flasktut
No password should be asked since we set the method to 'trust' and you should be logged in.
When you feel confident with your postgres skills, you should probably change the 'trust' above to something safer, like 'md5'.
There are two things to consider here.
First, the settings in pg_hba.conf need to allow you to connect to whatever database you are trying to connect to. A typical entry in the file looks like this:
host my_db myself 192.168.1.17/32 md5
host all all 192.168.1.0/24 md5
The first line allows a specific user (myself) from a specific remote client (192.168.1.17/32) to connect to a specific database (my_db) over TCP/IP (host). The second line allows any user to connect to any database on the network 192.168.1.0/24, typical network address for home or a small office. Both need to authenticate with a password (md5). You should add a line like either of the above to allow flasktut to even reach the server for establishing a connection. Note that when you change this file you need to restart the server for the changes to take effect.
The second issue is that your new user flasktut needs to have the permission to connect to whatever database s/he wants to connect to:
GRANT CONNECT ON DATABASE some_db TO flasktut;
And then within that database you have to grant privileges to access the objects, either directly or by granting role flasktut membership in a group role that has the required permissions:
GRANT some_role TO flasktut;
If flasktut is going to have her/his own database, you are probably better off as a superuser impersonating user flasktut to create the database and then letting the real user log in to that database her/himself:
SET SESSION AUTHORIZATION flasktut;
CREATE DATABASE some_db; -- somedb is owned by flasktut
RESET SESSION AUTHORIZATION;
i think you have already used localhost port server,so you can create another database in localhost port server(no need to add server in postgres ,create a db directly from that port server)
or
you can check on settings in pg_hba.conf?
https://help.ubuntu.com/stable/serverguide/postgresql.html
The PostgreSQL authentication system is managed in pg_hba.conf. Multiple authentication mechanisms can be configured depending on how the connection is made, to which database and by which user.
What can be surprising coming from a MySQL background is the default configuration often in place in Linux installations: it is using peer authentication by default for local connections.
Here are the default values on a Debian/Ubuntu system:
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
peer looks for the current Linux user running psql (or whatever PostgreSQL client). In this case, password authentication is not used, but it relies on the OS providing the user name. This only works locally, using a Unix socket here (which is the default when you don't specify anything to psql).
md5 will ask for a password, but this is only configured for network connections in this configuration.
As a result, if I create a user and a DB as follows (logged on as postgres):
postgres#mymachine:~$ createuser -S -D -R -P myuser
Enter password for new role:
Enter it again:
postgres#mymachine:~$ createdb -E UTF-8 -O myuser mydb
This will try to connect using a unix socket, and fail because I'm still logged on as postgres, not as myuser (which may or may not even exist on that system):
postgres#mymachine:~$ psql -U myuser mydb
psql: FATAL: Peer authentication failed for user "myuser"
(Had I been logged on as myuser in that Linux shell, it would have worked.)
In contrast, if I explicitly specify I want to connect via the network (albeit 127.0.0.1), I am prompted for the password and I can log on:
postgres#mymachine:~$ psql -U myuser -h 127.0.0.1 mydb
Password for user myuser:
psql (9.1.20)
SSL connection (cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256)
Type "help" for help.
mydb=>
The trust mechanism is one that presents the most security risks, in that it does not check anything, but the connection mode on that line.
For example:
# This will let any local user connect to any DB via the Unix socket
# without any authentication:
local all all trust
# This will let any user connect to any DB via 127.0.0.1
# without any authentication:
host all all 127.0.0.1/32 trust
# And worse (DO NOT USE):
# This will let any user connect to any DB from anywhere
# without any authentication:
host all all 0.0.0.0/0 trust
There are not many cases besides resetting a lost postgres (admin) password where using trust is justified.
As a side note, you say you've used this to change the password in psql:
postgres=# ALTER USER flasktut WITH PASSWORD 'zx80xb1';
ALTER ROLE
This works indeed, but there are a couple of side effects: the password is now likely to be logged in clear in ~/.psql_history, and it may also have been logged on the server side (wherever its logs are sent).
Within psql, it is generally better to use the \password command:
postgres=# \password flasktut
Enter new password:
Enter it again:
This will not leave a trace of the password in clear in the logs or history.

Cannot login to PostgreSQL when I specify "-h localhost"

I use Ubuntu 14.10 and installed PostgreSQL 9.2 from PostgreSQL official apt repository. (apt.postgresql.org)
When I switched user postgres and try following command, I can successfully login.
$ psql -U postgres dbname -W
Password for user postgres: (Enter Password)
psql (9.2.9)
Type "help" for help.
dbname=#
However, when I specify host value, I cannot login with following error.
$ psql -h localhost -U postgres notel -W
Password for user postgres:
psql: FATAL: password authentication failed for user "postgres"
FATAL: password authentication failed for user "postgres"
I'm trying to connect from Sequelize.js, an ORM for node.js, but I experienced almost the same error message:
Possibly unhandled Error: error: password authentication failed for user "postgres"
Does anyone know how I can solve this problem?
Edit
My pg_hba.conf is as follows:
local all postgres peer
local all all peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
I refered document about pg_hba.conf, but I don't know what's wrong...
Most likely this has to do with the client authentication file: pg_hba.conf.
It holds entries for each host/socket/user/password/database combination.
When you change your host to localhost, you have a different access route than when you connect directly over a Unix socket. You will patch yourself through TCP/IP instead of going "directly". If you open your pg_hba.conf file, you will find a bunch of rules at the end. These rules define which combinations are allowed to access the database.
In your case, look for lines that start with host, which means access through TCP/IP (and thus localhost) as opposed to local which means a Unix socket.
Probably there is a line tucked in there which prevents host connection access, or not via the credentials you think are correct (peer/md5 pitfall, read below).
As you show in your pg_hba.conf file you have local entries with peer authentication and host entries with md5 authentication. If you don't know the difference between the two authentication mechanisms, then that is your culprit at the moment and can cause some serious head-banging (not the Metal kind; the Against-a-wall kind).
Common pitfall
To avoid possible confusion, the difference between peer and md5 is ground for a common pitfall. They both use a user called postgres (when using -U postgres, that is), but the former is actual a Unix user created during installment of your PostgreSQL system, the latter is a database user created inside your PostgreSQL bookkeeping tables.
Always remember, if your setting is peer, use the credentials of the Unix user, if it is md5 use the credentials of the database user.
If no password has been set for the database user postgres, make sure you set one first. Empty passwords are not allowed either.
Extra notes
Always try to make your rules specific, avoid too many all entries for databases and users as this could put your installation wide open.
The first line that fits your access combination will be picked and any subsequent lines will be ignored. Make sure that there is no higher line that overwrites your rule.
Remember to restart your PostgreSQL daemon after changing this file, otherwise the changes won't be picked up.
If you want to do a secure "localhost" login with $ psql -U username dbname -h localhost -W
You need to make sure the user has been setup with an encrypted password and also setup your "pg_hba.conf" correctly to be "samehost".
1.) Create a Secure Login: "$ psql dbname"
ALTER USER username with encrypted password 'your_password';
2.) Modify "pg_hba.conf" as your main "postgres" user
# IPv4 local connections:
host all all samehost md5
3.) Restart your PostgreSQL server
service postgresql restart
If you have any other problems read your PostgreSQL log carefully at "/var/lib/pgsql/data/pg_log/*.log"
sudo nano /etc/postgresql/12/main/postgresql.conf
and set listening address: localhost
sudo nano /etc/postgresql/12/main/pg_hba.conf
IPv4 local connections:
host all all localhost md5

psql: FATAL: Peer authentication failed for user "dev"

when i create a new user, but it cannot login the database.
I do that like this:
postgres#Aspire:/home/XXX$ createuser dev
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) y
Shall the new role be allowed to create more new roles? (y/n) y
then create a database:
postgres#Aspire:/home/XXX$ createdb -O dev test_development
after that, I try psql -U dev -W test_development to login, but get the error:
psql: FATAL: Peer authentication failed for user "dev"
I tried to solve the problem but failed.
Try:
psql -U user_name -h 127.0.0.1 -d db_name
where
-U is the database user name
-h is the hostname/IP of the local server, thus avoiding Unix domain sockets
-d is the database name to connect to
This is then evaluated as a "network" connection by Postgresql rather than a Unix domain socket connection, thus not evaluated as a "local" connect as you might see in pg_hba.conf:
local all all peer
Your connection failed because by default psql connects over UNIX sockets using peer authentication, that requires the current UNIX user to have the same user name as psql. So you will have to create the UNIX user dev and then login as dev or use sudo -u dev psql test_development for accessing the database (and psql should not ask for a password).
If you cannot or do not want to create the UNIX user, like if you just want to connect to your database for ad hoc queries, forcing a socket connection using psql --host=localhost --dbname=test_development --username=dev (as pointed out by #meyerson answer) will solve your immediate problem.
But if you intend to force password authentication over Unix sockets instead of the peer method, try changing the following pg_hba.conf* line:
from
# TYPE DATABASE USER ADDRESS METHOD
local all all peer
to
# TYPE DATABASE USER ADDRESS METHOD
local all all md5
peer means it will trust the identity (authenticity) of UNIX user. So not asking for a password.
md5 means it will always ask for a password, and validate it after hashing with MD5.
You can, of course, also create more specific rules for a specific database or user, with some users having peer and others requiring passwords.
After changing pg_hba.conf if PostgreSQL is running you'll need to make it re-read the configuration by reloading (pg_ctl reload) or restarting (sudo service postgresql restart).
* The file pg_hba.conf will most likely be at /etc/postgresql/9.x/main/pg_hba.conf
Edited: Remarks from #Chloe, #JavierEH, #Jonas Eicher, #fccoelho, #Joanis, #Uphill_What comments incorporated into answer.
Peer authentication means that postgres asks the operating system for your login name and uses this for authentication. To login as user "dev" using peer authentication on postgres, you must also be the user "dev" on the operating system.
You can find details to the authentication methods in the Postgresql documentation.
Hint: If no authentication method works anymore, disconnect the server from the network and use method "trust" for "localhost" (and double check that your server is not reachable through the network while method "trust" is enabled).
When you specify:
psql -U user
it connects via UNIX Socket, which by default uses peer authentication, unless specified in pg_hba.conf otherwise.
You can specify:
host database user 127.0.0.1/32 md5
host database user ::1/128 md5
to get TCP/IP connection on loopback interface (both IPv4 and IPv6) for specified database and user.
After changes you have to restart postgres or reload it's configuration.
Restart that should work in modern RHEL/Debian based distros:
service postgresql restart
Reload should work in following way:
pg_ctl reload
but the command may differ depending of PATH configuration - you may have to specify absolute path, which may be different, depending on way the postgres was installed.
Then you can use:
psql -h localhost -U user -d database
to login with that user to specified database over TCP/IP.
md5 stands for encrypted password, while you can also specify password for plain text passwords during authorisation. These 2 options shouldn't be of a great matter as long as database server is only locally accessible, with no network access.
Important note:
Definition order in pg_hba.conf matters - rules are read from top to bottom, like iptables, so you probably want to add proposed rules above the rule:
host all all 127.0.0.1/32 ident
While #flaviodesousa's answer would work, it also makes it mandatory for all users (everyone else) to enter a password.
Sometime it makes sense to keep peer authentication for everyone else, but make an exception for a service user. In that case you would want to add a line to the pg_hba.conf that looks like:
local all some_batch_user md5
I would recommend that you add this line right below the commented header line:
# TYPE DATABASE USER ADDRESS METHOD
local all some_batch_user md5
You will need to restart PostgreSQL using
sudo service postgresql restart
If you're using 9.3, your pg_hba.conf would most likely be:
/etc/postgresql/9.3/main/pg_hba.conf
This works for me when I run into it:
sudo -u username psql
I simply had to add -h localhost
The easiest solution:
CREATE USER dev WITH PASSWORD 'dev';
CREATE DATABASE test_development;
GRANT ALL PRIVILEGES ON DATABASE test_development to dev;
ALTER ROLE dev CREATEROLE CREATEDB;
In my case I was using different port. Default is 5432. I was using 5433. This worked for me:
$ psql -f update_table.sql -d db_name -U db_user_name -h 127.0.0.1 -p 5433
For people in the future seeing this, postgres is in the /usr/lib/postgresql/10/bin on my Ubuntu server.
I added it to the PATH in my .bashrc file, and add this line at the end
PATH=$PATH:/usr/lib/postgresql/10/bin
then on the command line
$> source ./.bashrc
I refreshed my bash environment. Now I can use postgres -D /wherever from any directory
pg_dump -h localhost -U postgres -F c -b -v -f mydb.backup mydb
Try in terminal:
>> psql -U role_name -d database -h hostname.<domain>.com -W