Обсуждение: ident authentication not working over loopback adapter

This is a bit backwards.  ident authentication is working for me over
Unix domain sockets, but it isn't working over the loopback adapter.

Here is my /var/lib/pgsql/data/pg_hba.conf:

# Allow local and loopback users to connect to self-named databases
#
local    sameuser                                         ident    sameuser
host    sameuser    127.0.0.1        255.255.255.255     ident    sameuser

# Allow password-based authentication for local users, loopback, and
# local subnet.
#
local    all                                         md5
host    all         127.0.0.1       255.255.255.255     md5
host    all         192.168.1.0     255.255.255.0       md5

I have installed the identd daemon, and 'nmap localhost' confirms that
it is listening on port 113.

Here is an example session.  (I have created a PostgreSQL user named
'pilcher' and a database of the same name.)

[pilcher@home pilcher]$ psql
Welcome to psql, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
        \h for help with SQL commands
        \? for help on internal slash commands
        \g or terminate with semicolon to execute query
        \q to quit

pilcher=> \q
[pilcher@home pilcher]$ psql -h localhost
psql: FATAL 1:  IDENT authentication failed for user "pilcher"

Anyone have any idea what's going on?

Notes:  This is Red Hat Linux 8.0.  Password authentication works over
         Unix domain sockets or the loopback adapter.

Thanks!
--
========================================================================
Ian Pilcher                                           pilchman@attbi.com
========================================================================

Ian Pilcher <pilchman@attbi.com> writes:
> This is a bit backwards.  ident authentication is working for me over
> Unix domain sockets, but it isn't working over the loopback adapter.
> Notes:  This is Red Hat Linux 8.0.  Password authentication works over
>          Unix domain sockets or the loopback adapter.

Check to see if ident traffic is being filtered by kernel-level packet
filtering.  IIRC, RHL ships with mighty tight packet filtering, even on
the loopback connection (which is a tad silly, but...).  One easy way to
investigate this is to see if you can telnet to the ident daemon:

$ telnet localhost 113                  <--- I typed this
Trying...
Connected to localhost.sss.pgh.pa.us.
Escape character is '^]'.
1 2                                     <--- and this, which is junk,
1 , 0 : ERROR : INVALID-PORT            <--- so the ident daemon answered this
Connection closed by foreign host.
$

If you get a timeout or "connection refused" or anything except actual
communication with the ident daemon, you've got a filtering problem.

            regards, tom lane

Tom Lane wrote:
>
> Check to see if ident traffic is being filtered by kernel-level packet
> filtering.  IIRC, RHL ships with mighty tight packet filtering, even on
> the loopback connection (which is a tad silly, but...).  One easy way to
> investigate this is to see if you can telnet to the ident daemon:
>

Actually, it seems that Red Hat doesn't filter the loopback adapter.
(In fact, it seems that connections to local interfaces don't get
filtered either, but remote connections to the same interfaces do get
filtered.)

I have tracked the problem down to the following line in
/etc/identd.conf:

     result:encrypt = yes

Changing this to 'no' makes things work as expected, so PostgreSQL
obviously couldn't understand the encrypted response.

Anyone have any idea if this is a problem with PostgreSQL, a problem
with the ident daemon, or just "broken as designed"?

Thanks!

--
========================================================================
Ian Pilcher                                           pilchman@attbi.com
========================================================================