Обсуждение: Multiple connections over VPN password fail error
Hi All
while trying to make multiple connects with different role names to a single database over VPN i faced a password error issue when trying to connect a send user
It seems I had to change this line in pg_hba.conf and it worked:
`# IPv4 external connections thru VPN
#TYPE DATABASE USER ADDRESS METHOD
host all all <ip> trust ` <=(from the earlier scram-sha-256)
host all all <ip> trust ` <=(from the earlier scram-sha-256)
is this the way and is this correct from a security point of view ?
regards
Sanjay Minni
> On 9 Feb 2024, at 08:41, Sanjay Minni <sanjay.minni@gmail.com> wrote:
> while trying to make multiple connects with different role names to a single database over VPN i faced a password
errorissue when trying to connect a send user
> It seems I had to change this line in pg_hba.conf and it worked:
>
> `# IPv4 external connections thru VPN
> #TYPE DATABASE USER ADDRESS METHOD
> host all all <ip> trust ` <=(from the earlier scram-sha-256)
>
> is this the way and is this correct from a security point of view ?
While correctness and security always needs to be evaluated from the specific
needs of an installation, the odds are pretty good that "No" is the correct
answer here. To quote the documentation on the "trust" setting:
"Allow the connection unconditionally. This method allows anyone that
can connect to the PostgreSQL database server to login as any
PostgreSQL user they wish, without the need for a password or any other
authentication."
I would recommend immediately reverting back to the scram-sha-256 setting and
figuring out why you were unable to login.
--
Daniel Gustafsson
so why do I get a password error when i try to connect 2 users over VPN from the same machine to the same host with the following settings in pg_dba.conf - how to find the issue
( user1:user1pwd@<vpnip/database> & user2:user2pwd@<vpnip/database> )
# IPv4 external connections thru VPN
#TYPE DATABASE USER ADDRESS METHOD
host all all <ip> scram-sha-256
host all all <ip> scram-sha-256
and whats the best option keeping security in mind
regards
Sanjay
On Fri, Feb 9, 2024 at 1:26 PM Daniel Gustafsson <daniel@yesql.se> wrote:
> On 9 Feb 2024, at 08:41, Sanjay Minni <sanjay.minni@gmail.com> wrote:
> while trying to make multiple connects with different role names to a single database over VPN i faced a password error issue when trying to connect a send user
> It seems I had to change this line in pg_hba.conf and it worked:
>
> `# IPv4 external connections thru VPN
> #TYPE DATABASE USER ADDRESS METHOD
> host all all <ip> trust ` <=(from the earlier scram-sha-256)
>
> is this the way and is this correct from a security point of view ?
While correctness and security always needs to be evaluated from the specific
needs of an installation, the odds are pretty good that "No" is the correct
answer here. To quote the documentation on the "trust" setting:
"Allow the connection unconditionally. This method allows anyone that
can connect to the PostgreSQL database server to login as any
PostgreSQL user they wish, without the need for a password or any other
authentication."
I would recommend immediately reverting back to the scram-sha-256 setting and
figuring out why you were unable to login.
--
Daniel Gustafsson
Hi,
for the second user/role over vpn
even with md5 I get the error:
P3Error PostgreSQL password authentication failed for user "<seconduser>"
am only able to connect if method is "trust". Why is this so
# IPv4 external connections thru VPN
#TYPE DATABASE USER ADDRESS METHOD
host all all <ip> scram-sha-256 (or "md5" - second user is only able to connect if this is "trust"
host all all <ip> scram-sha-256 (or "md5" - second user is only able to connect if this is "trust"
regards
Sanjay
On Fri, Feb 9, 2024 at 2:44 PM Sanjay Minni <sanjay.minni@gmail.com> wrote:
so why do I get a password error when i try to connect 2 users over VPN from the same machine to the same host with the following settings in pg_dba.conf - how to find the issue( user1:user1pwd@<vpnip/database> & user2:user2pwd@<vpnip/database> )
# IPv4 external connections thru VPN#TYPE DATABASE USER ADDRESS METHOD
host all all <ip> scram-sha-256and whats the best option keeping security in mindregardsSanjayOn Fri, Feb 9, 2024 at 1:26 PM Daniel Gustafsson <daniel@yesql.se> wrote:> On 9 Feb 2024, at 08:41, Sanjay Minni <sanjay.minni@gmail.com> wrote:
> while trying to make multiple connects with different role names to a single database over VPN i faced a password error issue when trying to connect a send user
> It seems I had to change this line in pg_hba.conf and it worked:
>
> `# IPv4 external connections thru VPN
> #TYPE DATABASE USER ADDRESS METHOD
> host all all <ip> trust ` <=(from the earlier scram-sha-256)
>
> is this the way and is this correct from a security point of view ?
While correctness and security always needs to be evaluated from the specific
needs of an installation, the odds are pretty good that "No" is the correct
answer here. To quote the documentation on the "trust" setting:
"Allow the connection unconditionally. This method allows anyone that
can connect to the PostgreSQL database server to login as any
PostgreSQL user they wish, without the need for a password or any other
authentication."
I would recommend immediately reverting back to the scram-sha-256 setting and
figuring out why you were unable to login.
--
Daniel Gustafsson
On Fri, 2024-02-09 at 15:04 +0530, Sanjay Minni wrote: > for the second user/role over vpn > even with md5 I get the error: > P3Error PostgreSQL password authentication failed for user "<seconduser>" > am only able to connect if method is "trust". Why is this so > > # IPv4 external connections thru VPN > #TYPE DATABASE USER ADDRESS METHOD > host all all <ip> scram-sha-256 (or "md5" - second user is only able to connect if this is "trust" Please tell us the exact client software in use on the failing client. Also, what is the error message 1) on the client side 2) in the PostgreSQL server log Yours, Laurenz Albe