LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-17-2005, 12:57 AM   #1
aarajthomas
LQ Newbie
 
Registered: Apr 2004
Location: Tamil Nadu
Distribution: Redhat
Posts: 15

Rep: Reputation: 0
Postgres Login Problem


Dear

I am using redhat linux 9.0 and postgres 7.3.x. To connect to postgres database, i am using an phppgadmin(which will enable us to work in an GUI environment), But when i login as postgres without password, it allows me to login. And whatever the password i give, it allows me to login. Please help me to solve this security issue.
------------------------------------------------------------------------------------------------
i have the following entries in the pg_hba.conf file

# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the PostgreSQL Administrator's Guide, chapter "Client
# Authentication" for a complete description. A short synopsis
# follows.
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of three forms:
#
# local DATABASE USER METHOD [OPTION]
# host DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION]
# hostssl DATABASE USER IP-ADDRESS IP-MASK METHOD [OPTION]
#
# (The uppercase quantities should be replaced by actual values.)
# DATABASE can be "all", "sameuser", "samegroup", a database name (or
# a comma-separated list thereof), or a file name prefixed with "@".
# USER can be "all", an actual user name or a group name prefixed with
# "+" or a list containing either. IP-ADDRESS and IP-MASK specify the
# set of hosts the record matches. METHOD can be "trust", "reject",
# "md5", "crypt", "password", "krb4", "krb5", "ident", or "pam". Note
# that "password" uses clear-text passwords; "md5" is preferred for
# encrypted passwords. OPTION is the ident map or the name of the PAM
# service.
#
# This file is read on server startup and when the postmaster receives
# a SIGHUP signal. If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect, or use
# "pg_ctl reload".

# Put your actual configuration here
# ----------------------------------
#
# CAUTION: The default configuration allows any local user to connect
# using any PostgreSQL user name, including the superuser, over either
# Unix-domain sockets or TCP/IP. If you are on a multiple-user
# machine, the default configuration is probably too liberal for you.
# Change it to use something other than "trust" authentication.
#
# If you want to allow non-local connections, you need to add more
# "host" records. Also, remember TCP/IP connections are only enabled
# if you enable "tcpip_socket" in postgresql.conf.

# TYPE DATABASE USER IP-ADDRESS IP-MASK METHOD

local all all trust
host all all 127.0.0.1 255.255.255.255 trust

# Using sockets credentials for improved security. Not available everywhere,
# but works on Linux, *BSD (and probably some others)

local all all ident sameuser
 
Old 10-17-2005, 12:53 PM   #2
trevelluk
Member
 
Registered: Nov 2003
Location: Bristol, UK
Distribution: Debian Lenny, Gentoo (at work)
Posts: 388

Rep: Reputation: 32
The "trust" authentication method is the problem here. This does allow unconditional access without a password being supplied. You'll need to change this to one of the authentication methods described in http://www.postgresql.org/docs/7.3/i...tication.html. Using md5 will probably provide the best security.
 
Old 12-07-2005, 11:42 PM   #3
aarajthomas
LQ Newbie
 
Registered: Apr 2004
Location: Tamil Nadu
Distribution: Redhat
Posts: 15

Original Poster
Rep: Reputation: 0
Thanks i am not able to get the link which you have given. If u r able to get, please send in this forum itself.
 
Old 12-08-2005, 09:00 AM   #4
trevelluk
Member
 
Registered: Nov 2003
Location: Bristol, UK
Distribution: Debian Lenny, Gentoo (at work)
Posts: 388

Rep: Reputation: 32
The available authentication methods are:

trust : always allow the connection, do not check password
reject : always reject the connection, do not check password
md5 : Require an MD5 encrypted password from the client (this is the preferred method for insecure networks).
crypt : Like md5, but using less secure encryption. Required for compatibility with client versions < 7.2
password : Like md5, but the password is not encrypted.
krb4 : Use Kerberos V4 authentication (only available for TCP/IP connections)
krb5 : Like krb4, but with Kerberos V5
ident : Perform authentication using the OS user names.
pam : Use the PAM service to authenticate.

I'd suggest changing the "trust" sections of the file to "md5", for a fairly secure system. If this causes problems, you could also try "password", which should be secure enough since you're only connecting locally.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with Postgres Database Connection anjani.78 Linux - Software 1 10-07-2005 03:06 AM
postgres+syslogng+logrotation problem emailssent Linux - General 8 04-11-2005 06:27 PM
Postgres Hiper1 Linux - Newbie 8 04-10-2005 06:43 PM
php postgres problem Xing Linux - Software 3 03-08-2004 01:22 PM
Postgres installation initdb problem bruce64 Linux - Software 3 10-16-2003 02:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration