| Lists: | pgsql-general |
|---|
| From: | Tom Allison <tom(at)tacocat(dot)net> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | pg_hba.conf |
| Date: | 2006-11-20 00:08:47 |
| Message-ID: | 4560F20F.10903@tacocat.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general |
Ran into a mystery that I can't seem to figure out....
I want to authenticate using SSL for all external IP addresses that I have in my
subnet. I also want to be able to authenticate via non-SSL for localhost (not
unix socket).
I thought something like this would work:
host all all 127.0.0.1/32 md5
hostssl all all 192.168.0.1/24 md5
But I have a localhost client that can't log in because it keeps trying to
authenticate via SSL.
What am I doing wrong? It seems simple enough.
| From: | Russell Smith <mr-russ(at)pws(dot)com(dot)au> |
|---|---|
| To: | Tom Allison <tom(at)tacocat(dot)net> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: pg_hba.conf |
| Date: | 2006-11-20 00:16:40 |
| Message-ID: | 4560F3E8.6020902@pws.com.au |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general |
Tom Allison wrote:
> Ran into a mystery that I can't seem to figure out....
>
>
> I want to authenticate using SSL for all external IP addresses that I
> have in my subnet. I also want to be able to authenticate via non-SSL
> for localhost (not unix socket).
>
> I thought something like this would work:
>
> host all all 127.0.0.1/32 md5
> hostssl all all 192.168.0.1/24 md5
>
> But I have a localhost client that can't log in because it keeps
> trying to authenticate via SSL.
>
> What am I doing wrong? It seems simple enough.
What command are you typing?
#nonssl
postgres$ psql -h localhost postgres
#ssl
postgres$ psql -h 192.168.1.1 postgres
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: don't forget to increase your free space map settings
>
>
| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Tom Allison <tom(at)tacocat(dot)net> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: pg_hba.conf |
| Date: | 2006-11-20 00:28:39 |
| Message-ID: | 17681.1163982519@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general |
Tom Allison <tom(at)tacocat(dot)net> writes:
> host all all 127.0.0.1/32 md5
> hostssl all all 192.168.0.1/24 md5
^^^^^^^^^^^^^^
That needs to be 192.168.0.0/24 ... as is, it won't match anything.
> But I have a localhost client that can't log in because it keeps trying to
> authenticate via SSL.
That seems unrelated --- your first line should match any local-loopback
connection, regardless of SSL or not.
regards, tom lane
| From: | Tom Allison <tom(at)tacocat(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: pg_hba.conf |
| Date: | 2006-11-20 00:39:03 |
| Message-ID: | 4560F927.6070309@tacocat.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general |
Tom Lane wrote:
> Tom Allison <tom(at)tacocat(dot)net> writes:
>> host all all 127.0.0.1/32 md5
>> hostssl all all 192.168.0.1/24 md5
> ^^^^^^^^^^^^^^
>
> That needs to be 192.168.0.0/24 ... as is, it won't match anything.
>
>> But I have a localhost client that can't log in because it keeps trying to
>> authenticate via SSL.
>
Sorry, I mixed it up.
Copying from the pg_hba.conf:
# Database administrative login by UNIX sockets
local all postgres ident sameuser
# TYPE DATABASE USER CIDR-ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all md5
# IPv4 local connections:
host dbmail all 127.0.0.1/32 md5
host all all 192.168.1.0/24 md5
host all all 192.168.0.0/24 md5
# IPv6 local connections:
host all all ::1/128 md5
I would like to be able to set change the lines maching 192.168...
to
hostssl all all 192.168....
and set ssl=true in postgres.conf
But when I do, the localhost connections try to do ssl first and then fail.
Setting
hostnossl dbmail all 127.0.0.1/32 md5
didn't seem to help but I might have missed something at the time.
| From: | Tom Allison <tom(at)tacocat(dot)net> |
|---|---|
| To: | Russell Smith <mr-russ(at)pws(dot)com(dot)au> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: pg_hba.conf |
| Date: | 2006-11-20 11:29:22 |
| Message-ID: | 45619192.3010904@tacocat.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general |
Russell Smith wrote:
> Tom Allison wrote:
>> Ran into a mystery that I can't seem to figure out....
>>
>>
>> I want to authenticate using SSL for all external IP addresses that I
>> have in my subnet. I also want to be able to authenticate via non-SSL
>> for localhost (not unix socket).
>>
>> I thought something like this would work:
>>
>> host all all 127.0.0.1/32 md5
>> hostssl all all 192.168.0.1/24 md5
>>
>> But I have a localhost client that can't log in because it keeps
>> trying to authenticate via SSL.
>>
>> What am I doing wrong? It seems simple enough.
> What command are you typing?
>
> #nonssl
> postgres$ psql -h localhost postgres
> #ssl
> postgres$ psql -h 192.168.1.1 postgres
>
psql -h localhost
My "other" client is actually postfix and that's also specified as 'localhost'.
I suppose you are going to tell me that there is a difference here?
I've always assumed you had to use network IP ranges, not DNS like names (albeit
localhost is a special case).
| From: | Russell Smith <mr-russ(at)pws(dot)com(dot)au> |
|---|---|
| To: | Tom Allison <tom(at)tacocat(dot)net> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: pg_hba.conf |
| Date: | 2006-11-20 11:55:40 |
| Message-ID: | 456197BC.10103@pws.com.au |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general |
Tom Allison wrote:
> Russell Smith wrote:
>> Tom Allison wrote:
>>> Ran into a mystery that I can't seem to figure out....
>>>
>>>
>>> I want to authenticate using SSL for all external IP addresses that
>>> I have in my subnet. I also want to be able to authenticate via
>>> non-SSL for localhost (not unix socket).
>>>
>>> I thought something like this would work:
>>>
>>> host all all 127.0.0.1/32 md5
>>> hostssl all all 192.168.0.1/24 md5
>>>
>>> But I have a localhost client that can't log in because it keeps
>>> trying to authenticate via SSL.
>>>
>>> What am I doing wrong? It seems simple enough.
>> What command are you typing?
>>
>> #nonssl
>> postgres$ psql -h localhost postgres
>> #ssl
>> postgres$ psql -h 192.168.1.1 postgres
>>
>
> psql -h localhost
>
> My "other" client is actually postfix and that's also specified as
> 'localhost'.
>
> I suppose you are going to tell me that there is a difference here?
> I've always assumed you had to use network IP ranges, not DNS like
> names (albeit localhost is a special case).
All good, it makes no difference.
try
hostnossl all all 127.0.0.1/32 md5
that should force non ssl for localhost connections, as long as there
are no entries before this one for localhost.
Hope that helps.
>
> ---------------------------(end of broadcast)---------------------------
> TIP 9: In versions below 8.0, the planner will ignore your desire to
> choose an index scan if your joining column's datatypes do not
> match
>
>
| From: | Marc Evans <Marc(at)SoftwareHackery(dot)Com> |
|---|---|
| To: | Russell Smith <mr-russ(at)pws(dot)com(dot)au> |
| Cc: | Tom Allison <tom(at)tacocat(dot)net>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: pg_hba.conf |
| Date: | 2006-11-20 12:22:46 |
| Message-ID: | 20061120072026.U59362@me.softwarehackery.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-general |
On Mon, 20 Nov 2006, Russell Smith wrote:
> Tom Allison wrote:
>> Russell Smith wrote:
>>> Tom Allison wrote:
>>>> Ran into a mystery that I can't seem to figure out....
>>>>
>>>>
>>>> I want to authenticate using SSL for all external IP addresses that I
>>>> have in my subnet. I also want to be able to authenticate via non-SSL
>>>> for localhost (not unix socket).
>>>>
>>>> I thought something like this would work:
>>>>
>>>> host all all 127.0.0.1/32 md5
>>>> hostssl all all 192.168.0.1/24 md5
>>>>
>>>> But I have a localhost client that can't log in because it keeps trying
>>>> to authenticate via SSL.
>>>>
>>>> What am I doing wrong? It seems simple enough.
>>> What command are you typing?
>>>
>>> #nonssl
>>> postgres$ psql -h localhost postgres
>>> #ssl
>>> postgres$ psql -h 192.168.1.1 postgres
>>>
>>
>> psql -h localhost
>>
>> My "other" client is actually postfix and that's also specified as
>> 'localhost'.
>>
>> I suppose you are going to tell me that there is a difference here?
>> I've always assumed you had to use network IP ranges, not DNS like names
>> (albeit localhost is a special case).
> All good, it makes no difference.
>
> try
> hostnossl all all 127.0.0.1/32 md5
>
> that should force non ssl for localhost connections, as long as there are no
> entries before this one for localhost.
>
> Hope that helps.
That is not necessarily true. Some OSes are now defaulting "localhost" to
::1, e.g. the IPv6 variant. Be certain that if you are in one of those
situations that you include the IPv6 address in you configuration, or take
whatever measures are necessary to insure consistency.
- Marc