| From: | Bruno Wolff III <bruno(at)wolff(dot)to> |
|---|---|
| To: | PostgreSQL Bugs List <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #1001: Inconsistent authentication between psql and PQconnectdb - possible security implications? |
| Date: | 2003-12-05 17:30:35 |
| Message-ID: | 20031205173035.GA16741@wolff.to |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Fri, Dec 05, 2003 at 12:47:58 -0400,
PostgreSQL Bugs List <pgsql-bugs(at)postgresql(dot)org> wrote:
>
> All is well with psql authentication. However, when I tried to
> use knoda/hk_classes to access the database, I could not get authenticated. A typical error message was IDENT authentication failed for user "irwin". When I traced this down through the hk_classes code it was using PQconnectdb to connnect to the database, and there were complaints in the postgresql log that the identd server was not available. All knoda/hk_classes/PQconnectdb problems disappeared when I installed identd (apt-get install pidentd) on my Debian stable system. So all seems well when identd is installed, but there may be a security concern with psql when it is not. On the other hand, if psql is actually secure when identd is not running, then why isn't PQconnectdb using the exact same (secure) method of authentication for this case?
When connecting using domain sockets the local equivalent of getpeeruid
is used to determine which user is connecting rather than by asking an
ident server. When you use a network socket, then the user is checked
by asking the ident server at the same IP address as the connection
is coming from.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | saint | 2003-12-05 19:37:23 | (ver. 7.4) select netmask('192.168.1.5/24') return '255.255.255.0/24' not '255.255.255.0' (example in docs) |
| Previous Message | Stephan Szabo | 2003-12-05 17:29:11 | Re: BUG #1001: Inconsistent authentication between psql and |