Обсуждение: ident authentication not working over loopback adapter
This is a bit backwards. ident authentication is working for me over
Unix domain sockets, but it isn't working over the loopback adapter.
Here is my /var/lib/pgsql/data/pg_hba.conf:
# Allow local and loopback users to connect to self-named databases
#
local sameuser ident sameuser
host sameuser 127.0.0.1 255.255.255.255 ident sameuser
# Allow password-based authentication for local users, loopback, and
# local subnet.
#
local all md5
host all 127.0.0.1 255.255.255.255 md5
host all 192.168.1.0 255.255.255.0 md5
I have installed the identd daemon, and 'nmap localhost' confirms that
it is listening on port 113.
Here is an example session. (I have created a PostgreSQL user named
'pilcher' and a database of the same name.)
[pilcher@home pilcher]$ psql
Welcome to psql, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quit
pilcher=> \q
[pilcher@home pilcher]$ psql -h localhost
psql: FATAL 1: IDENT authentication failed for user "pilcher"
Anyone have any idea what's going on?
Notes: This is Red Hat Linux 8.0. Password authentication works over
Unix domain sockets or the loopback adapter.
Thanks!
--
========================================================================
Ian Pilcher pilchman@attbi.com
========================================================================
Ian Pilcher <pilchman@attbi.com> writes:
> This is a bit backwards. ident authentication is working for me over
> Unix domain sockets, but it isn't working over the loopback adapter.
> Notes: This is Red Hat Linux 8.0. Password authentication works over
> Unix domain sockets or the loopback adapter.
Check to see if ident traffic is being filtered by kernel-level packet
filtering. IIRC, RHL ships with mighty tight packet filtering, even on
the loopback connection (which is a tad silly, but...). One easy way to
investigate this is to see if you can telnet to the ident daemon:
$ telnet localhost 113 <--- I typed this
Trying...
Connected to localhost.sss.pgh.pa.us.
Escape character is '^]'.
1 2 <--- and this, which is junk,
1 , 0 : ERROR : INVALID-PORT <--- so the ident daemon answered this
Connection closed by foreign host.
$
If you get a timeout or "connection refused" or anything except actual
communication with the ident daemon, you've got a filtering problem.
regards, tom lane
Tom Lane wrote:
>
> Check to see if ident traffic is being filtered by kernel-level packet
> filtering. IIRC, RHL ships with mighty tight packet filtering, even on
> the loopback connection (which is a tad silly, but...). One easy way to
> investigate this is to see if you can telnet to the ident daemon:
>
Actually, it seems that Red Hat doesn't filter the loopback adapter.
(In fact, it seems that connections to local interfaces don't get
filtered either, but remote connections to the same interfaces do get
filtered.)
I have tracked the problem down to the following line in
/etc/identd.conf:
result:encrypt = yes
Changing this to 'no' makes things work as expected, so PostgreSQL
obviously couldn't understand the encrypted response.
Anyone have any idea if this is a problem with PostgreSQL, a problem
with the ident daemon, or just "broken as designed"?
Thanks!
--
========================================================================
Ian Pilcher pilchman@attbi.com
========================================================================